The National Cyber Security Centre (NCSC) opened this week and is promised to be the “authoritative voice on information security in the UK”.
It is intended that the NCSC will work with business and the public sector to provide information on emerging threats, provide support when attacks happen, and education on best practice to maintain online security.
It will supplement the already useful information that the Information Commissioner's Office (ICO) already publishes on its Data Security Incident Trends website.
This additional support should be seen as good news, if you handle personal data, as it should help you in addressing the regulatory burdens we discuss below.
It will also increase the pressure on you to take your duties as seriously as possible, as pleading ignorance or stupidity will be impossible to sustain as the sum total of knowledge and information available to you increases.
Security Under the DPA
It is already the case that if you are a data controller you have good reason to be on top of your security game and fully prepared.
Under the Data Protection Act (DPA), data controllers are under a duty to protect the personal data they control from cyber-security vulnerabilities, including cyber-attacks and cyber-crime; a duty which will change as the state of the art and threat environment changes.
This is a significant duty, and monetary penalties of up to £500,000 (currently) can be imposed by ICO for breach of this duty.
This duty is also no idle threat. The most high profile recent example is the cyber-attack on the telecom and internet service provider Talk Talk, who subsequently received the highest fine issued by the ICO to date of £400,000, for the simple reason of their having not identified that an unsecured server had been left connected to the internet, giving cyber attackers the ability to gain access to their customer database with ease.
You might of course be tempted to think about covering up any breach of security. Except for public communications providers, it is currently the case that there is no legal obligation to report any security breach under the DPA. However, the ICO is clear that they expect voluntary reporting of breaches (whether you are at fault or not), even if that means that that you might face a monetary penalty if the security breach is due to your poor security measures (reporting does not guarantee you will not be fined). Also, in this social media age, covering anything up is going to be difficult. So, any help you can get in terms of preparing for and dealing with security breaches is going to help you manage this reality better.
Security Under the GDPR
The General Data Protection Regulation (GDPR), which comes in to force in May 2018, replacing the DPA, hardens the existing position under the DPA.
Soon all organisations who handle personal data, whether for their own purposes (as data controller) or as a service to or on behalf of someone else (as data processor), will have even more reason to take cyber security extremely seriously, and to seek any help they can get.
The GDPR materially increases the regulatory burden and expectation on persons who handle personal data, and including by:-
(a) setting out the security obligations in more detail, and mandating better record keeping;
(b) extending the key security obligations for the first time to data processors (those who handle data on behalf of others) as well as data controllers;
(c) mandating reporting of security breaches for everyone, both to the ICO within 72 hours, and to affected data subjects; and
(d) increasing the maximum monetary penalty substantially to €10 million or 2% of annual global turnover, whichever is greater.
It will be very interesting to see in the coming weeks and months what guidance and assistance the NCSC may provide organisations in relation to cyber-security issues and their increased obligations under the GDPR.
Further Information and Legal Support
If you would like to know more about the GDPR and your obligations contact a member of our Information Law Team or take a look at one of our Geldards' Guides.
INFORMATION LAW EMPLOYMENT >>