This year marks a major step towards a digital single market in the European Union, with the General Data Protection Regulation (GDPR) and the National Information Security Directive (NISD) providing the legislative backbone for the future of cyber security and data protection within the EU. In 2016, it is expected that we will see the GDPR and NISD approved by the European Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives, with both pieces of legislation expected to come into force within about two years.

Underpinning the changes is a desire on the part of the EU to set common standards for data protection and cyber security across the EU, with unifying pieces of legislation. The GDPR and NISD will mean a move away from the existing fragmented system, where each country has differing legislation and where businesses operating across the EU may have to comply with varying pieces of legislation.The NISD and GDPR will mean the introduction of pan-European rules that provide increased protection for the consumer – in terms of their personal data, the introduction of minimum levels of cyber security for essential services and the removal of red tape for businesses transferring data across the EU.

What changes can we expect?

The NISD will place a requirement on the providers of certain critical infrastructure to take steps to detect and effectively manage cyber-security risks. The operators of essential services (including energy, transport, banking and health, as well as key internet services) will also need to notify national authorities of any breaches to their IT systems that are likely to have a significant impact on the services they provide. 

The GDPR will promote greater accountability, increased transparency and controls in order to allow individuals to better manage their own personal data. Notable changes to the existing data protection rules include: Easier access to personal data for individuals. A right for individuals to transfer their data between service providers more easily. A clarification on the right for individuals to be forgotten. The right for individuals to be notified when their data has been hacked.

How will these changes impact businesses?

At this stage, it is difficult to assess in detail how widely we can expect the legislation to apply. What is clear is that the NISD will place a new obligation on businesses to disclose cyber-security breaches. Once the text for the NISD has been released, businesses will need to clarify whether they are classified as an operator of essential services (the criteria for which is as yet to be defined), and thereby covered by the obligations under the NISD.

For small and medium-sized enterprises (SMEs), it is expected that the new GDPRs will significantly remove red tape in the following areas:No requirement for notifications to be sent to national authorities. Where requests for data are excessive or unfounded, an SME may charge a fee for providing the information. No requirement to appoint a data protection officer, as long as the main activity of the business is not data processing.No requirement to conduct impact assessments, except where it is deemed that there may be a high risk.

Getting prepared

In readiness for the NISD, businesses should consider: How robust their existing IT systems are and whether they are capable of dealing with a potential cyber-security breach. Conducting a thorough review of the existing security systems that are in place. Putting in place a cyber-security policy, if they do not already have one.

When in force, the NISD and GDPR will both come with potentially heavy sanctions for businesses where there has been intentional infringement by a business or the infringement is attributable to a company’s negligence. To avoid any unnecessary sanctions, it is imperative that businesses review their systems to ensure they are fully prepared for implementation of the new legislation.