In January, the UK government confirmed that it will be
implementing the EU's Network and Information Security
Directive (NIS Directive) regardless of Brexit. EU countries have
until 9 May 2018 to implement the Directive into their
national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives
Review that details of the UK's implementation of the NIS
Directive will be released in 2017.Protecting critical IT
As reported in our previous blog, the NIS Directive aims to ensure that
critical IT infrastructure in key sectors of the economy are secure
from the ever-growing list of cybersecurity threats. The NIS
Directive will apply to: (i) companies within "critical
sectors" (e.g., banking, health care, energy and transport);
and (ii) digital service providers (e.g., online marketplaces,
search engines and cloud services).
Businesses that operate in one of the above two categories will
be required to take appropriate security measures and to notify the
relevant national authority in the event of a significant
The UK government's current approach is to encourage
organisations to manage their own risk in respect of data, rather
than create more regulations and bureaucratic red tape.
In lieu of setting specific cybersecurity controls or making
cybersecurity insurance mandatory, the government has been pointing
out that investment in cybersecurity is in the best interests of
businesses, and they should conduct self-assessments to ensure that
their cybersecurity practices are up-to-date – especially in
light of the incoming General Data Protection Regulation (GDPR)
which comes into force 25 May 2018.
Businesses that fail to prepare in advance of May 2018 are most
likely undervaluing the data that they hold, and in particular
placing data at risk.
In turn, such inaction poses significant risks to businesses.
Once the GDPR is in force, businesses will be required to report
any data breach suffered, and could be faced with fines of up to
EUR20 million, or 4% of the total worldwide annual turnover ... a
high price to pay for inaction!
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).