NIS and GDPR blog by Data Vault leading implementation and training for GDPR

NIS and GDPR

UK Data Protection Act 2018 is going to be more than GDPR

Are you an operator of “essential services” in a “critical sector” or “digital service provider” then you should know about the NIS Directive?

The new Data Protection Bill currently making its way through Parliament is best known for incorporating EU General Data Protection Regulations into UK law and updating the existing Data Protection Act 1998.  Very little media attention has been given to the separate NIS Directive (EU Directive on security and network information systems) that has been bundled in with it.  The reason for this is that the government has chosen to bundle a number of things into one legislative package. Crucially, as currently drafted, this means potential exposure to fines of up to 4% of global turnover – the same as GDPR.

Do you provide essential services in the following critical sectors:

  • Energy: including oil, gas and electricity supply, distribution, transmission and storage operators
  • Transport: including air transport, rail transport, water transport, traffic control services, port, airport and rail authorities
  • Banking and Financial market infrastructure
  • Healthcare
  • Drinking water supply and distribution
  • Digital infrastructure: including internet exchange points, domain name system service providers and top-level domain name registries.
Operators of essential services must implement state of the art network and information security

Operators of essential services must implement state of the art network and information security systems appropriate to the risk profile of the organisation. These systems should be designed to prevent and minimize the impact of incidents and ensure the continuity of essential services.  Furthermore, it adds a reporting obligation in the event of significant incidents without undue delay.

There are also, less onerous, provisions for “digital service providers,” which include online marketplaces, search engines or cloud computing services (smaller organisations are except).

Many sectors in this list will have “state of the art” cyber security, others may not.  Some of these sectors are known for underinvestment in IT, think healthcare, rail, ports or water.

This legislation places a significantly increased legal obligation on these organisations and backs it up with a big stick

Critical infrastructure has always had a focus, but this legislation places a significantly increased legal obligation on these organisations and backs it up with a big stick for punishments.  For these organisations complying to the Data Protection Act 2018 is much more than just GDPR!