he UK Government released a report on 21 December 2016 that affirms its intention to apply the EU General Data Protection Regulation (GDPR) and implement the EU Directive on Security of Network and Information Systems (NIS Directive) despite Brexit.
Both EU laws will impact UK businesses from May 2018 (before the UK is likely to leave the EU) but what this announcement confirms is that they will continue to apply after the UK leaves.
The report was produced as a result of the review conducted last year to consider the need for regulation or incentives to boost cyber risk management across the UK as the pace of change had been deemed insufficient thus far.
The report focused on the intended application of the GDPR, and its benefits, and concluded amongst other factors that:
- No further regulation beyond the GDPR is required.
- Mandatory data breach reporting will provide the Information Commissioner’s Office (the ICO) (and customers in certain circumstances) with information which will allow the ICO to improve the education of others to prevent future security breaches.
- Financial sanctions under the GDPR will be a significant call to action for businesses.
The report recognised the importance of non-regulatory incentives such as providing more information online and in forums to businesses, although it ruled out further mandatory measures including: requiring cyber insurance, including cyber risk in company annual reports, or requiring a cyber “health check”.
UK businesses planning to offer goods and services to EU citizens when the UK leaves the EU will need to comply with the EU legislation whether the UK Government keeps it or not. However, even UK businesses that do not offer goods to EU citizens will need to continue their work to ensure they are compliant with the legislation.
The GDPR will be of particular interest to cyber insurers as it is expected that data collected by regulators will be shared to improve their ability to price risks more accurately. It is possible that with better pricing, and a more consistent scope of cover, cyber insurers will see the popularity of their products grow.
Although lots of businesses are already familiar with the GDPR, the report confirmed that the detailed scope and requirements of the NIS Directive will be set out by the UK Government in 2017. The UK Government is also considering whether further regulation might, in the context of the NIS Directive, be necessary for critical sectors.