Cybersecurity Comparative Guide

• Published date: 28 July 2020
• Subject Matter: Privacy, Technology, Data Protection, Security
• Law Firm: Kemp Little LLP
• Author: Ms Emma Wright and Marta Dunphy-Moriel

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

Data protection is not defined as such in the jurisdiction. However, under the General Data Protection Regulation (GDPR), organisations must respect the principles of data protection. The UK Information Commissioner's Office (ICO) states that data protection is about ensuring that people can trust you to use their data fairly and responsibly.

'Cybercrime' is an umbrella term which covers:

• cyber-dependent crimes - that is, crimes that can be committed only through the use of ICT devices, where the devices are both the tool for committing the crime and the target of the crime (eg, developing and propagating malware for financial gain, hacking to steal, damage, distort or destroy data and/or network or activity); and
• cyber-enabled crimes - that is, traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT (eg, cyber-enabled fraud and data theft).

'Cybersecurity' refers to the protection of information systems (hardware, software and associated infrastructure), the data thereon and the services they provide from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally as a result of failing to follow security procedure.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

• The GDPR;
• The Data Protection Act (DPA) 2018;
• The Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR);
• The Communications Act 2003;
• The Computer Misuse Act 1990, as amended by the Serious Crime Act 2015;
• The Investigatory Power Act 2016;
• The Regulation of Investigatory Powers Act 2000;
• The Official Secrets Act 1989; and
• The Network and Information Systems (NIS) Regulations 2018

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Some cyber regimes apply only to certain sectors.

The NIS Regulations apply to two groups of organisations:

• 'operators of essential services' (energy, transport, health, water and digital infrastructure); and
• 'relevant digital service providers', which
• • provide online search engines, online marketplaces and/or cloud computing services;
  • have their head office in the United Kingdom;
  • have more than 50 staff; and
  • have a turnover of more than '10 million.

Part 4 and Schedule 11 of the DPA 2018 and the Official Secrets Act 1989 address the processing of data for the protection of national security.

Public electronic communications network service providers and public electronic communications service providers must comply with the Communications Act 2003.

In relation to the health sector, Article 9 of the GDPR, Section 10 of Chapter 2 of the DPA 2018 and Part 2, Schedule 3 of the DPA 2018 apply. In addition, the Department of Health and Social Care requires entities with access to National Health Service patient data to complete the self-assessment Data Security and Protection Toolkit, to ensure compliance with their data security requirements.

No distinct legislation for cybersecurity applies to financial services. However, financial services firms must comply with additional security and governance regulations, which can directly or indirectly include cybersecurity provisions. Financial services firms must comply with the Financial Conduct Authority's (FCA) Principles for Business, of which Principle 11 (which requires firms to notify regulators of anything of which it would reasonably expect notice) and Supervision Manual 15.3.1 (which requires firms to notify the FCA of any matter which could affect the firm's reputation or provide adequate services to its customers) refer indirectly to cybersecurity requirements. Senior managers in financial services firms must also comply with Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) requirements, including establishing systems and controls to keep information security systems and IT systems safe (SYSC 13.7).

(b) Certain types of information (personal data, health information, financial information, classified information)?

The processing of personal data is regulated by the GDPR and the DPA 2018. Particularly sensitive personal data (special category data) is subject to more stringent processing requirements than personal data under the GDPR and DPA 2018. Special category data includes data revealing an individual's political opinions, race or ethnic origin, sexual orientation, sex life, religion or philosophical beliefs, biometric data, trade union membership, health or genetics (Article 9 of the GDPR). Personal data relating to criminal convictions and offences is not considered special category data; however, appropriate safeguards must be in place when processing this type of personal data. These are dealt with in Sections 10 and 11 and Schedule 1 of the DPA 2018.

Classified information is regulated by the Official Secrets Act 1989 and Part 4 and Schedule 11 of DPA 2018.

Criminal offence data is regulated by Part 3 of the DPA 2018.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

The GDPR applies extraterritorially in some cases. It applies to data processed outside the European Union if the data processor and/or data controller is established in the European Union (Article 3(1)). The GDPR also applies to data controllers and data processors that are not established in the European Union, but which process data of data subjects who are based in the EU where the processing activities are related to:

• the offering of goods or services to such data subjects in the EU; or
• the monitoring of their behaviour as far as their behaviour takes place in the EU.

The PECR also applies extraterritorially. Public electronics communication service (PECS)...