Data and information security after 5 years of the GDPR

The last few years have seen significant changes in the data protection landscape with this year marking the 5th anniversary of the General Data Protection Regulation, commonly referred to as the GDPR. It’s a good time to take stock and analyse what has changed, and what we can expect in the near future.

What has the GDPR brought us

First and foremost, there has been a significant increase in data subjects’ awareness of their rights and the obligations of data processors. This can be seen, for example, in the high number of complaints filed with the supervisory authority.

The need to ensure “GDPR compliance” has also had a significant impact on business operations. Businesses have started to place much greater emphasis on the implementation and practical application of data protection systems, which have become a core area of ensuring business security. This is undoubtedly influenced by the fines for non-compliance with these data protection regulations.

Thanks to the principles of privacy by design and privacy by default, there has been a huge shift in the approach to data protection, which is now taken into account from the very beginning of data processing, especially where modern technology is used.

With the GDPR, data protection has become a process rather than a single one-off activity, which is very important for the improving of data security, and also in the context of changing technology. This can be seen with the recent unprecedented development of artificial intelligence systems, in particular generative artificial intelligence where the issue of data protection is a key element in the development and implementation of AI systems, including the learning of algorithms and the building of models related to the processing of large amounts of data.

The importance of cyber security

With the rapid development of technology, cyber security is a key issue. Digital threats are increasingly affecting businesses and are closely linked to the issue of data protection, making it one of the biggest challenges facing organisations today. As an example, we are seeing a significant increase in the use of malware, particularly ransomware.

This has also not escaped the attention of EU regulators, who have addressed the issue of cyber security in legislation such as DORA, the Regulation on digital operational resilience for the financial sector[1], or NIS II, the Directive on measures for a high common level of cybersecurity across the Union[2].

DORA

The objective of DORA is to upgrade and consolidate the requirements for managing the operational digital resilience of financial services market participants at a pan-European level.

Upgrading is understood as complementing the traditional quantitative approach consisting in setting capital requirements to cover ICT risks, with a qualitative approach focusing on defining targeted qualitative requirements for the protection, detection and containment of security incidents and the building of operational resilience testing capabilities.

As regards consolidation, DORA focuses on several issues:

• Requirements for the management of financial entities in terms of digital resilience and requirements for the management of ICT-related risk
• Requirements for the management, including monitoring, classification and logging, of ICT-related incidents;
• Requirements for testing the digital resilience of financial entities
• Requirements for the management of ICT third-party risk

The proposed regulation covers 20 categories of entity, with financial entities obliged to comply with the regulation expanded to include a new generation of financial market participants, such as crypto-asset and crowdfunding service providers, in addition to the traditional financial institutions such as credit institutions, payment institutions, and investment firms.

In accordance with the principle of proportionality, the DORA requirements vary depending on financial entities’ business profile, size and scale of operation. Financial entities identified as microenterprises are therefore exempt from a significant part of the DORA requirements, whilst those identified as significant are required, among other things, to conduct TLPTs. Importantly, the list of financial entities also includes ICT service providers, which represents another departure from previous sectoral regulations.

Entities covered by DORA must apply the resulting requirements from 18 October 2024.

NIS II

NIS II, which repeals the existing NIS Directive, was adopted by the European Parliament on 10 November 2022.

NIS II introduces a distinction between essential entities and important entities, rather than between operators of essential services and digital service providers, significantly expanding the existing list.

It also clarifies cyber security risk management obligations by making certain solutions mandatory, including but not limited to:

• Risk analysis and IT system security policies
• Incident management policies
• Business continuity plans
• Ensuring supply chain security

In addition, the Directive introduces the possibility of imposing fines on entities failing to comply with their obligations. The amount of these fines will depend on the type of entity and will be up to the greater of EUR 10 million or 2% of the total worldwide annual turnover in the preceding year for essential entities, and EUR 7 million or 1.4% of the total worldwide annual turnover in the preceding year for important entities.

The main objective of NIS II is to further improve digital security in the European Union and the incident response capabilities of both public and private sector entities. In addition, it aims to harmonise across the Union precisely who will be affected by cyber security obligations.

The NIS II regulations must be applied in all EU Member States from 18 October 2024, so we can expect changes to the National Cyber Security System Act in this area as well.

Summary

The above regulations herald the fact that we can expect even more guidelines, recommendations, good practices and opinions to be issued at both European and national levels in the coming years.

These regulations will inevitably relate to practices in specific market sectors and will provide specific, individual solutions that businesses will need to comply with, and hence directly impact the need for businesses to proactively respond and adapt their business practices and procedures. Some of these changes may have implications for business strategies. It is clear that there will be a need to focus on technical safeguards and assess their adequacy with a view to avoiding possible fines from the supervisory authority.

Any questions? Contact us

Monika Maćkowska-Morytz

Maciej Kuranc

[1] Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148)