"My Government’s legislative programme will be mission-led and based upon the principles of security, fairness and opportunity for all."
This statement set the tone for a lengthy address to Parliament by King Charles III, but what does this mean for the world of cyber security and data protection given the emphasis on 'security' as one of the principles?
Of the approximately 40 bills that were introduced in the address, two are of particular interest:
Digital Information and Smart Data Bill
This bill will:
Enable the development and deployment of new innovative uses of data such as the Digital Verification Scheme that allows trusted and certified organisations to provide digital identity products and services (i.e. a 'Digital ID' to purchase age-restricted goods or for pre-employment identity verification checks).
Update the data sharing rules and measures such as the creation of Smart Data Schemes and amendment to the Digital Economy Act.
Update to the level of consent required for scientific research.
Strengthen the powers of the ICO and change its regulatory structure to incorporate a board and various C-suite roles.
Cyber Security and Resilience Bill
This bill will:
Update existing regulations in the UK such as the Network and Information Security (NIS) Regulations 2018, which will be replaced by the NIS-2 Directive from the 18th of October 2024, and implement new rules in order to keep up with the EU reforms in this area.
Implement stricter security requirements in order to better protect critical national infrastructure from cyber attacks.
Provide regulators with greater powers, including higher fines and penalties, to ensure more oversight of the cyber threat nationally.
Similarly to data protection requirements, introduce a requirement to ensure vendors also adhere to a prescribed level of cyber security standards in order to protect the supply chains.
Introduce liability rules that may mean members of the senior leadership can face personal fines or penalties if they fail to comply with the law as set out.
It would be remiss for a modern government address to not cover artificial intelligence and while an explicit bill was not listed, there was a mention for the government to "establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models".
It appears the general theme of these suggested reforms aims to strike a better balance between upholding protections and security while also not impeding in innovation and the adoption of new technologies. It will therefore be interesting to see how these bills will fair through parliament.
How You Can Prepare for DISD and CSR
A useful way of understanding the impact of the DISD and CSR bills on your organisation is by undertaking an audit or gap analysis against existing frameworks to give you an idea of your compliance level. While new legislation may provide for more rules and regulations, this will most likely develop on the key fundamental principles already in existence in current cyber security or data protection law or requirements in ISO 27001/ISO 277001, NIST etc.
The following are a few of the key areas of focus an effective and compliant cyber security framework and privacy programme:
Vendor Due Diligence and Security in the Supply Chain
- Due diligence should also be considered in the onboarding of all vendors, including the use of AI systems/services, ensuring compliance with any AI regulations as well.
- Ensure supply chain incidents are considered as part of your organisations Security Incident and Business Continuity Plans.
- Various tools are available to organisations that provide an overview of a suppliers Cyber Security and Data Privacy posture (e.g. OneTrust Vendorpedia, SecurityScorecard).
Data Sharing Securities and Contractual Compliance
- Ensure engagements are reviewed by information security and data protection professionals to ensure compliance with various requirements.
Legal, Regulatory and Statutory Review Processes
- Establish a process for regularly reviewing any changes to legislation or regulation that may impact your organisation.
- Consider engaging with an external specialist if the organisation is unsure what legislation/ regulation applies to the organisation.
Policies, Procedures, and Training
- Training and policies are key components required to establish and maintain compliant data processing (including personal data) practices at all levels of the organisation – including senior management.
- This is important given the level of liability that may be imposed on senior leadership should the DISD and CSR bills become legislation.
Risk Management
- To support the implementation of cyber security and data protection controls within your organisation, regular risk assessments will help to identify areas where controls can be targeted to increase their effectiveness.
- A cost-benefit analysis can be taken to help identify if the cost of the new control outweighs the risk and the cost impact if the risk is realised.
Artificial Intelligence
- Consider the implementation of a ISO42001 compliant management system to form a structured framework for the use of AI technology and possibly integrate this with existing management systems (ISO27001/ 27701/ 22301) to fully streamline processes and enhance related controls.
- Undertake an AI systems-focussed mapping exercise against security and privacy controls to help identify gaps. Take a risk-based approach to implement AI-specific controls and safeguards to target these gaps and reduce the overall risk to your organisation.
Author
Darshy Sivananthasonthy
Data Privacy Consultant
Darshy is a Data Privacy Consultant with an undergraduate degree and master's degree in law, CIPM, and 5+ years of experience and knowledge of data protection legislation. Her experience includes being part of a data privacy team within a law firm that provides outsourced DPO services and working in-house for one of the UK’s largest police forces looking at data subject requests, audit, and compliance.
Blogs
