It has also been a big year in cybersecurity, not only due to the introduction of new legislation, but also because of the continuing focus on high profile breaches.

NISD

The EU's Network Information Systems Directive is designed to sit alongside the GDPR and brought in cybersecurity and breach reporting requirements for Digital Service Providers (an online marketplace, an online search engine or a cloud services provider) and Operators of Essential Services. The Directive is implemented in the UK by the Network Information Systems Regulations 2018, which came into force on 10 May 2018.

We could use more guidance on who exactly is caught by the Regulations as some businesses do not fit neatly into the sparse definitions. In the meantime, you can read about the requirements if you are caught, here.

The Cybersecurity Act

The Commission published a draft Regulation (known as the Cybersecurity Act) to reform the European Network and Information Security Agency (ENISA), giving it a permanent mandate and increased resources; and to introduce a voluntary European security certification framework for ICT products and services. The certificates would confirm compliance and would be recognised in all Member States, making it easier for businesses to trade in the internal market. The draft Regulation is currently in the trilogue stage.

Data breaches

It seems that every week brings another high profile data breach. The ICO has seen a vast increase in the reporting of data breaches, partly because of over-reporting due to a lack of understanding of GDPR obligations. There can, however, be no doubt that many businesses remain vulnerable to attack or to inadvertent data breaches. BA, Dixons, Uber, Facebook, Equifax and the Marriott Group are just some of the names to have hit the headlines this year due to newly discovered breaches, or to fines incurred for earlier breaches. So far, we are yet to see fines issued for data breaches under the GDPR but this will doubtless change next year.

Businesses are also getting used to the idea that they may face class actions in relation to data breaches. In November, we reported on the Court of Appeal decision, upholding the High Court's finding that Morrisons was vicariously liable for the actions of a rogue employee. This was under common law principles rather than as a result of changes to data protection law but as more breaches enter the public domain and certain litigation funders are actively looking to fund data breach class actions, we expect this to become the new normal.