Cyber Security Awareness: The Legislation and Regulation
The importance of Cyber Security has grown in 2020, with in particular the Covid-19 pandemic playing a key role. With many attackers using various different ways to access you and your company's sensitive information, through malware software. This has meant that a lot of companies have had to impose tighter restrictions on who can have access to their information.
Information and data are extremely valuable as sensitive assets to companies, organisations and individuals, therefore its storage, use and transmission is heavily regulated by the governments around the world.
UK Data Protection Act
The Data Protection Act (DPA) controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called 'data protection principles':
- Its used fairly and lawfully for limited, specifically stated purposes in a way that is adequate, relevant and not excessive
- Its Accurate
- Its kept for no longer than absolutely necessary
- Its handled according to people's data protection rights
- Its kept safe and secure
- Its not transferred outside the European Economic Area without adequate protection
There is stronger legal protection for more sensitive information, such as: Ethnic background, Political opinions, Religious beliefs, Health, Sexual Health and Criminal records.
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The DPA is enforced by the ICO, which has several options when it finds an organisation to be in breach of the act.
Other UK laws that affect information security within an organisation include:
- Copyright, Designs and Patents Act 1988
- Malicious Communications Act 1988
- Computer Misuse Act 1990
- Freedom of Information Act 2000
- Privacy and Electronic Communications Regulations 2003
- Digital Economy Act 2010
General Data Protection Regulation
The General Data Protection Regulation (GDPR) regulates the progression of personal data within the European Union. Disclosure of personally identifiable information is very tightly regulated and can result in prosecution. It is applicable to all EU member states, with no room for tailoring it according to a national legal system. The GDPR since its introduction in May 2018, has allowed member states to be more consistent in tackling cybercrime, and made it more difficult for loopholes in legislation to be exploited. Depending on which provision is breached, companies can face fines of 10-20 million euro, or 2-4% of their global annual turnover, depending on which amounts to more.
Similarities between the GDPR and the UK Data Protection Act
Personal Data: Like the Data Protection Act or DPA, the GDPR applies to 'personal data'. However, the EU’s definition is more detailed and makes it clear that any information that can be used to identify someone, for example, IP addresses and mobile device IDs, counts as personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA's definition, and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – for example, key-coded – can fall within the scope of the GDPR, depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive Personal Data: The GDPR refers to sensitive personal data as 'special categories of personal data'. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic and biometric data, which are processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to processing it.
Got any questions regarding the GDPR or UK Data Protection Act and how Sytorus can help you comply with the Regulation? Click on the button below to schedule a meeting with a member of the team.