Regulations and Legislation

With the importance of cyber security increasing constantly, there is now a strong emphasis put on the need for organisations to implement vigorous cyber security measures. Introductions of various legislation has raised expectations of cyber security, with organisations having to work in line with legal requirements and regulations. There are numerous requirements in various laws such as the Computer Misuse Act 1990, Communications Act 2003, Privacy and Electronic Communications Regulations 2003 (PECR), the Data Protection Act 2018 (DPA) and the General Data Protection Regulations 2018 (GDPR). For certain sectors, further regulations apply, for example in industries that provide financial products or essential services such as gas and oil. 

Looking more closely at the GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) shows a strong increase in security expectations. Working alongside each other, these acts changed the way in which organisations were expected to handle personal data. The GDPR is an EU legislation, and the DPA manages how this is interpreted in the UK. Both acts aim to protect privacy, which of course encapsulates security because data security is an essential requirement to privacy. The GDPR and DPA do not tell organisations how to protect data as such, but instead set out obligations and rights to ensure data is kept secure. This maintains protection against unauthorised access to and use of data, loss, damage and destruction of data, and strong measures defending sensitive data such as that in relation to healthcare. 

The ICO (Information Commissioner’s Office) oversees that protection of personal data is being upheld in the UK, and can fine those who do not comply. This is, in fact, one of the biggest changes that the GDPR brought in. Before the GDPR, fines for failure to secure data were set at a maximum of £500,000. Now, with the introduction of the GDPR, monetary penalties can reach $20 million, or 4% of annual turnover- whichever is greater. To date, the largest intended fine has been £183.39 million to BA in 2019 for their failure to implement adequate security measures to protect personal data. 

The increase in legislation and regulations with regards to cyber security reflects its great importance and the wide recognition of this. Large fines demonstrate the seriousness that cyber security must be regarded with, not only to adhere to regulations, but to protect organisations and individuals on a large scale.