Latest news & updates.

Double Trouble: GDPR + NIS


Double Trouble: GDPR + NIS

Double Trouble

Overlapping data protection legislation may result in multiple fines for just one single breach.

There has been a lot of press, blogs and articles, dealing with the General Data Privacy Regulation (GDPR) and its impact on businesses. The European Union (EU) put the privacy regulation into effect on May 25, 2018. It requires compliance from all businesses that collect and store personal data of EU-based citizens.

Mostly everyone knows about GDPR by now, but do you know about the EU’s directive on the security of Network and Information Systems (known as the NIS Directive), which is cyber security legislation that can result in fines for organizations that don’t have the proper security in place to prevent a breach of IT infrastructure?

NIS Directive

The EU directive on the security of Networks and Information Systems can be just as influential for IT as GDPR has been. The NIS Directive applies to all EU member countries and allows each country the flexibility to adapt legislation appropriately for alignment with other national legislation and circumstances, which means each country will have their own versions and specifications. But broadly, the NIS Directive concerns the security of nationally important infrastructure such as energy, water supplies, transportation, and healthcare.

Introduction to the NIS

The directive requires EU members to create and operate “a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority.

Cloud Complications

Data protection is becoming more complicated, with cost implications that will continue to rise. It’s not just GDPR. If you are processing data in the cloud, data protection complications increase. When you use cloud services, you may be storing, processing, and transporting data. Have your legal department or organization lawyers investigate whether your cloud data processing is impacted by the NIS Directive.

You Could Have Double Penalties

As Dr. Kuan Hon of the European law firm Fieldfisher explained in a recent Computing article, under GDPR and NIS, critical infrastructure providers could end up being fined twice for the same data breach.

GDPR is designed to protect the personal data of EU citizens. The purpose of NIS is to protect the security of information systems at critical infrastructure providers. The NIS Directive has a broad definition that includes any connected device on any network as well as the data that is associated with those devices and networks. When a provider’s network is breached, and it contains personal data, there’s a possibility of penalties under both GDPR and NIS.

Compliance Will Cost you

U.S. IT staff need to be mindful of these regulations and adjust their procedures and tools to ensure compliance. IT staff will need training around new and evolving compliance efforts. Of course, there are bound to be some organizations that are not affected by the European regulations. But for those who are affected, even if you believe you are in compliance with GDPR and NIS, it’s a good idea to have internal staff or third-party consultants reevaluate your compliance efforts to ensure you’re still doing everything you should be doing and the proper protections are in place. It’s better to be safe now than sorry later.

What About Your Job?

When security is breached in IT systems and networks, it can cost IT staff their jobs as well as the CIOs and CEOs. All business today is dependent on IT. It’s not enough for executives to relegate security to the tech staff and call it a day.

Article sourced : nojitter.com  – For the full article please click here.


About The Author

Mark Hodgson

Mark Hodgson is the Managing Director of Tremark Associates, one of the UK’s leading providers of investigative services. Mark formed Tremark aged just 25 in 1995 and has over 30 years experience in private investigations and commercial debt recovery industries. He is a leading figure and a campaigner for regulation of the Industry and the immediate past President of the Association of British Investigators, a member of the World Association of Detectives, The Institute of Credit Management, The Institute of Paralegals and an associate member of R3 -The Association of Business Recovery Professionals. Mark splits his time between the Leeds and London Offices. He is a dad of two, a keen runner, cyclist and a Leeds United season ticket holder.


,