Governments across the world are becoming increasingly active in the fields of cybersecurity and data protection/privacy, recognizing the criticality of the digital world to society, particularly in wake of the COVID-19 pandemic.
The EU’s General Data Protection Regulation (GDPR) 2018 is the most obvious example of this. These rules have already had an enormous impact on businesses, with numerous substantial fines levied as a result of breaches of these laws.
The UK is a particularly interesting case, given its formal departure from the EU on January 1, 2021. It incorporated GDPR into its existing data protection regime, known as UK-GDPR. However, the UK government has since outlined its vision to adapt the country’s approach to data protection and privacy in the wake of Brexit, such as making it easier to strike data adequacy agreements with nations outside of the EU.
This vision could be realised in its proposed Data Reform Bill, which has already created substantial debate among experts regarding plans to diverge from the EU’s GDPR provisions.
Another major piece of legislation being prepared in the UK is the Online Safety Bill, designed to tackle online harms, including child sexual abuse, fraud and content that causes psychological harm. It is an ambitious attempt to regulate aspects of the Internet, unprecedented in nature.
These two bills are expected to be passed into laws in 2023.
Other notable recent UK cybersecurity legislation includes the Telecommunications (Security) Act, which sets out security rules to protect UK telecoms networks against cyber-attacks from October 2022, and the Product Security and Telecommunications Infrastructure (PSTI) Act, signed into law in December 2022. The latter places obligations on smart device manufacturers to secure their products before going to market.
These new laws, once enacted, will impose new responsibilities to many organizations, who must be prepared to comply or risk substantial financial penalties. To discuss this landscape from a legal perspective, Infosecurity spoke to Sarah Pearce, a partner at law firm Hunton Andrews Kurth.
Infosecurity Magazine: There are currently a plethora of UK laws relating to cybersecurity, privacy and data protection in development. What impact do you think these laws will have on relevant businesses once passed?
Sarah Pearce: There are indeed – and more are likely to appear. The impact will vary according to the particular legislation/regulation. For example, managed service providers will be most affected by the new UK cybersecurity laws that are due to come into force and expand the scope of existing regulations, making them subject to the same rules that govern essential services (e.g. critical infrastructure and healthcare companies).
The Data Reform Bill will arguably have a broader impact regardless of the type of organization, industry or sector, since it covers the handling of personal data generally, something which almost all businesses do, even if it’s just their employees. That said, the bill largely builds on a framework that already exists and those businesses handling personal data have likely taken steps to comply with the UK GDPR. As such, they may just have to take steps to modify certain aspects of their compliance program rather than install a completely new framework or completely overhaul their approach to the handling of personal data.
IM: How well prepared are organizations, particularly in the tech space, to comply with these laws? How should businesses be preparing?
SP: Again, I think it depends on the specific legislation we are talking about. The majority of organizations are generally pretty well prepared when it comes to data privacy compliance, for example, bearing in mind GDPR has been around for a few years now and the reform builds on that framework, without altering the key principles.
Organizations that have not been in compliance with existing legislation should certainly be taking steps to catch up as the regulatory enforcement is on the rise and is set to continue in the same direction with the development of further, new UK specific legislation.
It is likely a different story when it comes to the Online Harms Bill, for example. This represents a completely new set of obligations and even those organizations in the tech space (online service providers for example) that have taken steps to comply with the requirements for handling childrens’ personal data (age appropriate design code), will find themselves subject to additional requirements. This means they’ll need to take a more proactive approach to the monitoring of their platforms and the individuals accessing them.
IM: What other legislative changes do you expect to see in the cybersecurity and data protection space in 2023?
SP: I think we’re likely to see planned legislation evolve and come into force. With the rise in cyber-attacks (in the broadest sense of the word), I suspect we will likely see further cybersecurity-related legislation appear. This could expand the remit of existing legislation again or possibly add new requirements. Otherwise, I don’t anticipate any additional, revolutionary changes beyond those that have already been discussed for 2023 in the UK.
Globally, however, I think we will continue to see the development of legislative regimes regarding the handling of personal data and a focus on the handling of children’s personal data. The regulation of AI technologies is also likely to evolve, as are the data protection and cybersecurity implications associated with it. I think there will also be further development of privacy enhancing technologies and legislation/regulation around their use. Another area is digital assets: I suspect we will see further discussion on the topic and whether or not they merit an additional, specific legislative/regulatory framework.
IM: What do you think current UK legislation relating to cybersecurity and data protection means for the country’s approach to privacy going forward?
SP: The UK government is clearly taking steps to modify certain legislation in this area that it has inherited from the EU; we will likely see more ‘UK specific’ laws.
While I doubt much will differ wildly from the existing framework, there is a keen desire for the UK to demonstrate a reasonable, pragmatic approach. The UK government has stated that it wants the UK to be seen as “business-friendly,” ridding itself of much of the EU’s red tape.
A key consideration in this field that the UK government will undoubtedly keep in mind is the fact that it needs to ensure any new requirements do not alter the underlying framework or detract too far from existing principles. The government will likely want to ensure it maintains “essential equivalence,” such that the UK’s adequacy status with the EU is not affected.