Jayne Goble, public sector security expert at PWC looks at what the General Data Protection Regulation means for cyber security and if we’re prepared
Public sector organisations need to focus on data and cyber security, not simply because of the costs and the reputational damage breaches cause, but also because of incoming legislation which steps up security and breach reporting requirements, and provides sanctions for non-compliance.
The EU Commission has reached an agreement on 2 key data protection regulations – the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD), also known as the Cyber Security Directive.
The GDPR will give individuals stronger rights, empowering them with better control of their data, and ensuring that their privacy remains protected in the digital age. Whereas the Cyber Security Directive will complement the GDPR, providing protection of IT systems in critical national infrastructure.
The GDPR and Cyber Security Directive will apply to all public sector organisations collecting and/or processing EU citizen’s personal data.
The GDPR and Cyber Security Directive are both EU pieces of legislation. This, of course, begs the question as to how far UK businesses need take notice following the results of the EU Referendum.
The Information Commissioner’s Office (ICO) has said that all organisations with operations and/or services within the EU, should work on the assumption that the GDPR will apply. This will ensure the UK maintains ‘adequacy’ for EU purposes and can continue to receive EU personal data.
The Cyber Security Directive will also apply to organisations that provide elements of a country’s critical national infrastructure – i.e. operators in energy, transport, health, and banking – and operate and/or provide services within the EU.
The new Cyber Security Directive, coupled with the GDPR, means another element of compliance for all public sector organisations. They must adjust how they handle data and, in turn, their cyber security.
GDPR & the National Cyber Security Directive, and its main implications for public sector organisations
Although the GDPR and Cyber Security Directive came into force in April 2016, they will not apply until May 2018. This has provided a 2-year transition period before both pieces of legislation become enforceable across EU countries, including the UK.
A 2-year grace period may sound generous, but in reality, given the number of teams that will need to be involved to help a public sector organisations comply with the new regulations (such as IT, marketing, legal and compliance, as well as management and operations teams) it is important to consider the implications and plan for the new regulations right now.
As the GDPR and Cyber Directive will not apply until May 2018, many public sector organisations will still be in the early phases of understanding the requirements. We have been leading the way in performing GDPR maturity assessments and specific privacy transformation services. Based on this wealth of experience and knowledge, we have identified 5 key implications to public sector organisations:
Changes to the definition of ‘personal data’ and ‘sensitive’ personal data
The definition of what constitutes personal data will expand under GDPR, with personal data now extending to location, IP address, as well as whole new swathes of medical data, including genetic information. This means that more public sector data will be subject to data protection laws and higher level protections (that apply to sensitive personal data).
Processing based on the ‘legitimate interests’ ground
Public sector organisations who currently rely on ‘legitimate interests’ (i.e. legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with) will need to find alternative grounds to justify personal data processing.
The GDPR introduces a requirement for all data breaches to be reported to the Information Commissioner’s office and to data subjects in certain circumstances. Public sector organisations will need to put appropriate internal procedures in place to detect, report, and investigate personal data breaches in accordance with the new rules and applicable timescales.
Subject Access Requests
Under the Data Protection Acts, data subjects already have a right to be provided with a copy of the data and certain amounts of information. However, under the GDPR, more detailed information must be supplied. This may require additional administrative effort from public sector organisations to comply with detailed rules set out in the articles.
Cyber Security Directive
The Cyber Security Directive required operators of essential services in the energy, transport, banking, and healthcare sectors, as well as providers of critical digital services like search engines and cloud computing, will be expected to take ‘appropriate security measures relating to breach detection, response and reporting’.
Public sector security expert