What is Cyber Security Law?
What is Cyber Security Law?
Cyber security laws determine standards, rules, and regulations organisations should follow when using digital systems to store, retrieve, and send information in order to protect it from unauthorised access and data breaches. The laws consider legal implications of internal threats to organisations (e.g. from employees and software), as well as external threats like hackers and other malicious parties (e.g. competitors, disgruntled customers, and so on).
All organisations have a responsibility for maintaining compliance with cyber security law, and for empowering their employees to be aware of cyber security practices and their impact upon data protection. Organisations that fail to provide a good level of cyber security, and that consequently suffer a breach, stand to lose the trust of their customers, as well as suffer financial implications (through fines and lost sales).
Cyber Security Laws
The EU's GDPR and the UK's third generation Data Protection Act 2018 (DPA 2018) both aim to modernise data protection laws, taking into account the increased need for cyber security regulation in the digital age. The GDPR will take effect across all EU countries, and any countries wishing to offer goods and services to the EU, but it does allow EU countries to make provisions (on a strictly limited basis) for how it will apply in their country. To that end, the UK DPA 2018 applies GDPR standards (since Britain will continue to trade with the EU even after Brexit), but has been adjusted to afford the UK certain data processing rights for domestic issues, e.g., national security and the ICO's duties, that are not the concern of the international community.
Under GDPR, the requirement for organisations to process digital data with appropriate technical and organisational security measures is made clear, and the legislation extends data protection principles to include key definitions for 'data controllers' (the organisation that owns data and decides where it will go and what it will be used for) and the 'data processor' (the organisation that processes data on the controller's behalf).
GDPR stipulates that data processors, as well as data controllers, must take all necessary measures to ensure against unlawful and unauthorised data processing practices, including accidental loss, unlawful alteration, destruction, or damage of data. Organisations that process digital data must undertake risk assessments to evaluate and, as much as possible, mitigate the risk of a security breach. Adequate measures might take the form of encryption, cyber security training, up-to-date antivirus software, and so on.
How Cyber Security Laws Affect Organisations
The results of failing to observe cyber security best practices under the GDPR and the UK DPA 2018 can be devastating for organisations, particularly with regard to the potential administrative fines under GDPR (up to 4% of annual turnover or €20M – whichever is larger) for non-compliance. More than the threat of financial penalties, though, it is hoped that GDPR directives will drive organisations to promote strong privacy and security practices, using the 2018 laws as an opportunity for positive change in the field of compliance and setting a global standard for data protection.
The accountability clause in the GDPR urges organisations to take a more active role in the data protection and cyber security policies they implement. Accountability means an organisation must establish a proactive system for data protection, as the responsibility falls on them to ensure compliance with cyber security laws.
In previous systems, accountability clauses governed who was to blame in the event of a breach, but now the push is for organisations to implement a proactive, rather than reactive, system. This means that businesses need to alter how they work in the long term in order to continuously meet the regulations set by the GDPR.
If you expect your employees to take cyber-security seriously, it's important for organisations to embed compliance firmly within the working environment, as standard. By regularly training employees and keeping them involved in conversations and updates about cyber security, the results will go way beyond what is simply mandated by law.
By spreading the message that everyone is accountable for cyber security, and offering regular training that's both up-to-date and engaging to empower your employees, organisations can generate self-governing accountability cultures that go above and beyond the minimum requirements for cyber-security laws.