It is the testing of digital processes and systems to assess the potential for a data breach of any stored personal data. This includes 3 main areas:
Cyber threats come from hackers and bots whom may use personal data for their own commercial gain or to damage the reputation of a company.
Any business that deals with customer information that is essential for the maintenance of critical social or economic activities is affected by the Directive on Security of Network and Information Systems (NIS Directive). Any business that holds, transmits and uses personal data is affected by the GDPR.
(This means: energy companies, water companies, all transport companies, financial services, healthcare, internet exchange, domain name providers and others are affected by the NIS Directive and all internet transactional companies by the General Data Protection Regulation (GDPR). If you are unsure – ask us.)
The NIS Directive says that digital service providers and companies “that provide a service which is essential for the maintenance of critical societal/economic activities” will be responsible for ensuring a level of security of network and information systems to prevent and minimize the impact of incidents on the IT systems used to provide their services.
The Directive does not define a threshold of what is a significant incident requiring notification to national authorities, but it does define three parameters which should be taken into consideration: the number of users affected; the duration of the incident; and the geographic spread.
Operators must be preparing now to implement the Directive’s requirements to ensure compliance and avoid potential penalties.
The law will come into effect in May 2018, but any breaches since summer 2016 may be liable for penalties as companies are to be gearing up during this period.
This is further to the existing GDPR which mandates protection and notification on personal data protection and requires a minimum level of security assurance for any personal data stored.
Not really. In the wake of Brexit, in practical terms, UK organizations should still look to be compliant with this new European legislative measure. Also, the UK will still be subject to this legislation where UK companies process EU citizens’ personal data in connection with their offer of goods or services, or if they provide “monitoring” activities. The same applies if a group company is located in the EU or have staff operating within any EU member state.
Notification of an incident must be made to authorities “without undue delay,” normally expected within 24-72 hours after the breach is discovered.
It is important to recognize that mere “compliance” is not adequate to protect against modern advanced attacks. Real security is more than compliance—it is a comprehensive security programme that includes non-signature-based detection and advanced threat defences.
If you run, are involved in the running of, are invested in or are thinking about investing in a company that holds any customer data at all, you need to check that you are compliant. If you do not, then the following might impact the company: