The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Similar documents
The Role of the Data Protection Officer

Data Breaches and the EU GDPR

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

The GDPR: The catalyst for customer July 2017

Directive on Security of Network and Information Systems

Regulating Cyber: the UK s plans for the NIS Directive

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

NIS-Directive and Smart Grids

Directive on security of network and information systems (NIS): State of Play

ENISA s Position on the NIS Directive

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

General Data Protection Regulation (GDPR)

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Cybersecurity Considerations for GDPR

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Data Breach Notification: what EU law means for your information security strategy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

EU General Data Protection Regulation (GDPR) Achieving compliance

The NIS Directive and Cybersecurity in

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Introductory guide to data sharing. lewissilkin.com

Motorola Mobility Binding Corporate Rules (BCRs)

CNPD Course: Data Protection Basics

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Data Processing Clauses

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

How the GDPR will impact your software delivery processes

GDPR: A QUICK OVERVIEW

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Data Processing Agreement for Oracle Cloud Services

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

European Union Agency for Network and Information Security

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

EU data security and privacy trends

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

ARTICLE 29 DATA PROTECTION WORKING PARTY

DATA PROCESSING TERMS

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Prohire Software Systems Limited ("Prohire")

DATA PROCESSING AGREEMENT

Data Processing Agreement

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Element Finance Solutions Ltd Data Protection Policy

Eco Web Hosting Security and Data Processing Agreement

Getting ready for GDPR

Data Protection and GDPR

Our agenda. The basics

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Network and Information Security Directive

GDPR compliance: some basics & practical to do list

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Data Protection Policy

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Data Processing Agreement

EXAM PREPARATION GUIDE

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

SCHOOL SUPPLIERS. What schools should be asking!

Google Cloud & the General Data Protection Regulation (GDPR)

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

DATA PROCESSING AGREEMENT

General Data Protection Regulation (GDPR) Key Facts & FAQ s

BHConsulting. Your trusted cybersecurity partner

Knowing and Implementing the GDPR Part 3

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

German Data Processing Addendum MailChimp

GDPR - Are you ready?

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

Creative Funding Solutions Limited Data Protection Policy

HPE DATA PRIVACY AND SECURITY

PS Mailing Services Ltd Data Protection Policy May 2018

Data Processing Agreement

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

Arkadin Data protection & privacy white paper. Version May 2018

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

DECISION OF THE EUROPEAN CENTRAL BANK

Discussion on MS contribution to the WP2018

Customer EU Data Processing Addendum


Transcription:

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017

Introduction Adrian Ross GRC consultant Infrastructure services Business process re-engineering Business intelligence Business architecture Intellectual property Legal compliance Data protection and information security Enterprise risk management

IT Governance Ltd: GRC one-stop shop All verticals, all sectors, all organisational sizes

Agenda TM An overview of the regulatory landscape Subject matter, material and territorial scope Remedies, liabilities and penalties Personal data breaches under the GDPR The NIS Directive Operators of essential services Digital service providers GDPR vs NIS Directive

The nature of European law Two main types of legal instrument: Directives º Require individual implementation in each member state º Implemented by the creation of national laws approved by the parliaments of each member state º Directive on security of network and information systems (Directive (EU) 2016/1148) Regulations º Immediately applicable in each member state º Requires no local laws to implement º General Data Protection Regulation (Regulation (EU) 2016/679)

The General Data Protection Regulation (GDPR)

Article 99: Entry into force and application This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES On 8 April 2016, the European Council adopted the Regulation. On 14 April 2016, the European Parliament adopted the Regulation On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and will apply from 25 May 2018. http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/txt/?uri=celex%3a32016r0679

Articles 1 3: Who, and where? Natural person = a living individual Natural persons have rights associated with: The protection of personal data The protection of the processing personal data The unrestricted movement of personal data within the EU In material scope: Personal data that is processed wholly or partly by automated means; Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. The GDPR applies to controllers not in the EU

Remedies and liabilities Natural Persons have rights Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. Controller involved in processing shall be liable for damage caused by processing.

Penalties Administrative fines In each case will be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year.

Data breaches in the UK January to March 2016 448 new cases Data breaches by sector Health (184) Local government (43) Education (36) General business (36) Finance, insurance and credit (25) Legal (25) Charitable and voluntary (23) Justice (18) Land or property services (17) Other (41) Source: UK Information Commissioner s Office

Key facts about cyber breaches TM Number of data breaches detected in 2016 Median number of breaches per company Costs associated with the most disruptive breaches Large organisations: Mean - 50k Highest - 3m Small organisations: Mean - 5k Highest - 100k IPSOS Mori: 2016 Cyber Security Breaches Survey

Types of breach occurrence TM IPSOS Mori: 2016 Cyber Security Breaches Survey

Article 32: Security of processing A requirement for data controllers and data processors to implement a level of security appropriate to the risk, including: pseudonymisation and encryption of personal data ensure the ongoing confidentiality, integrity and availability of systems a process for regularly testing, assessing and evaluating the effectiveness of security measures security measures taken need to comply with the concept of privacy by design

Article 33: Personal data breaches Definition A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Data processor Notify data controller without delay No exemptions All data breaches have to be reported European Data Protection Board (EDPB) to issue clarification with regard to undue delay Obligations Data controller Notify supervisory authority no later than 72 hours Unnecessary in certain circumstances Description of the nature of the breach No requirement to notify if no risk to rights and freedoms of natural persons Failure to report within 72 hours requires explanation

Article 34: Personal data breaches Obligation for data controller to communicate a personal data breach to data subjects Communication to the data subject without undue delay if high risk Communication in clear, plain language Supervisory authority may compel communication with data subject Exemptions: if appropriate technical and organisational measures taken if high risk to data subject will not materialise if communication with data subject would involve disproportionate effort

Independent supervisory authorities Member states must create independent supervisory authorities and resource them appropriately Tasks: º Monitor and enforce º Communicate º Promote awareness Powers: º To investigate, correct, advise, enforce Leading supervisory authority for multi-state controllers

Cyber security assurance GDPR requirement data controllers must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation. Must include appropriate data protection policies Organisations may use adherence to approved codes of conduct or management system certifications as an element by which to demonstrate compliance with their obligations ICO and BSI are both developing new GDPR-focused standards ISO 27001 already meets the appropriate technical and organisational measures requirement BS 10012 developed specifically for the GDPR It provides assurance to the board that data security is being managed in accordance with the regulation It helps manage ALL information assets and all information security within the organisation protecting against ALL threats

Network and Information Directive (NIS)

Article 26: Entry into force and application Member States shall adopt and publish, by 9 May 2018, the laws, regulations and administrative provisions necessary to comply with this Directive. KEY DATES On 6 July 2016, the Directive was adopted by the European Parliament. On 19 July 2016, the official text of the Directive was published in the EU Official Journal in all the official languages. The Directive entered into force on 8 August 2016, and applies from 10 May 2018. https://ec.europa.eu/digital-single-market/en/network-and-information-security-nisdirective Final text of the Directive: http://eur-lex.europa.eu/legalcontent/en/txt/pdf/?uri=celex:32016l1148&from=eno

Network and Information Security Directive 2013 Cybersecurity Strategy The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved cyber security capabilities at a national level and increased EU-level cooperation. Processing of personal data to comply with Directive 95/46/EC

Network and Information Security Directive Article 1: Subject matter and Scope A high common level of security of network and information systems within the Union so as to improve the functioning of the internal market. Obligations on member states to adopt a national strategy for security of network and information systems Creates a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among member states Creates a computer security incident response teams network ( CSIRTs network ) in order to contribute to the development of trust and confidence between member states Establishes security and notification requirements for operators of essential services and for digital service providers Lays down obligations for member states to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems.

Network and Information Security Directive Operators of essential services and digital service providers Operators of essential services Operators of critical infrastructures in industry sectors such as energy, transport, banking, financial market infrastructure, health, water, and digital infrastructure including Internet exchange points, domain name system service providers etc. Public or private entities set out in Annex II of the Directive. Digital service providers Any legal person that provides a digital service, such as online marketplaces, online search engines, Cloud computing services, app stores etc. Does not apply to micro and small enterprises.

Network and Information Security Directive Article 1: Subject matter and scope Directive does not apply to all operators of essential services or DSPs Certain sectors are already sufficiently regulated, or may be in the future If this is the case then the NIS Directive has no application Sector-specific regimes must supply equivalent protection

Network and Information Security Directive Article 5: Identification of operators of essential services Each country designates which essential services are within the scope of the Directive. Member states shall identify the operators of essential services with an establishment on their territory by 9 November 2018; º Set criteria for the identification of the operators of essential services: º An entity provides a service which is essential for the maintenance of critical societal and/or economic activities; º The provision of that service depends on network and information systems; and º An incident would have significant disruptive effects on the provision of that service. List of operators of essential services subject to revision every two years.

Network and Information Security Directive Recital 57: Directive applies to all digital service providers Member state rules apply to establishment of DSPs This follows the approach used by ECJ, case law and the GDPR. Recital 65: Directive applies to digital service providers outside the EU that offer services within the EU The use of a language or currency that is generally used in one or more Member State may indicate that DSPs outside the EU are offering services within the EU. DSPs outside the EU that offer services within the EU must designate a representative to act on their behalf, including in relation to incident reporting. Representative contact point for competent authorities and CSIRTs.

Network and Information Security Directive Article 14: Security requirements and incident notification Operators of essential services must: Take appropriate technical and organisational measures to manage the risks to the security of networks and information systems Take steps to prevent and minimise the impact of incidents with a view to ensuring continuity of services. Notify the competent authority or the CSIRT without undue delay of incidents having a significant impact on the continuity of the essential services. In order to determine the significance of the impact of an incident, the following shall be taken into account: The number of users affected by the disruption of the essential service The duration of the incident The geographical spread with regard to the area affected by the incident.

Network and Information Security Directive Article 16: Security requirements and incident notification Digital service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. Including the following elements: the security of systems and facilities incident handling business continuity management monitoring, auditing and testing compliance with international standards. The Commission can further specify the elements above but the member state cannot impose any further security or notification requirements on the digital service provider. Digital service providers must take steps to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services offered within the Union, with a view to ensuring the continuity of those services.

Network and Information Security Directive Article 16: Security requirements and incident notification Must ensure that Digital service providers must ensure they notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a services within the Union. When determining whether the impact of an incident is substantial, the following parameters in particular shall be taken into account: the number of users affected by the incident, in particular users relying on the service for the provision of their own service the duration of the incident the geographical spread with regard to the area affected by the incident the extent of the disruption of the functioning of the service the extent of the impact on economic and societal activities

Network and Information Security Directive Intention is to have a high level of harmonisation across the member states. Subject to variation by member state through method of adoption. In France, many of the requirements are already set out in the Military Planning Act. In Germany, the IT Security Act covers many of the requirements of the NIS Directive. Other member states like the UK do not currently have detailed cyber security laws. Possibility of many different sector-based competent authorities. Implementation by the combination of new laws and amendment of existing laws. This approach is contrary to harmonisation.

The GDPR Intention is the harmonisation of data protection across the member states GDPR derogations allow variation between member states Mandatory appointment of DPOs in certain circumstances Mandatory breach reporting in certain circumstances Prior consultation where there is a high risk to data subjects Data processors now brought into scope Controllers have to demonstrate accountability Introduction of administrative fines

IT Governance: GDPR one-stop shop Self-help materials A Pocket Guide www.itgovernance.co.uk/shop/p roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/pr oduct/eu-general-data-protectionregulation-gdpr-animplementation-and-complianceguide Documentation Toolkit www.itgovernance.co.uk/shop/p roduct/eu-general-dataprotection-regulation-gdprdocumentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/pr oduct/eu-gdpr-compliance-gapassessment-tool

IT Governance: GDPR one-stop shop Training courses 1-Day accredited Foundation course (classroom, online, distance learning www.itgovernance.co.uk/shop/product/certified-eu-general-dataprotection-regulation-foundation-gdpr-training-course 4-Day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/product/certified-eu-general-dataprotection-regulation-practitioner-gdpr-training-course 1-Day Data Protection Impact Assessment (DPIA) Workshop (classroom) www.itgovernance.co.uk/shop/product/data-protection-impactassessment-dpia-workshop

Questions? aross@itgovernance.co.uk 0845 070 1750 http://www.itgovernance.co.uk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback