With an increasing reliance on technology, the protection of sensitive data and digital assets has become paramount for businesses of all sizes. The UK Government’s Cyber Security Breaches Survey 2023 estimates there were 2.39 million instances of cybercrime affecting UK businesses in the prior 12 months - and for small businesses, navigating the complex landscape of cyber threats can be daunting and confusing. It’s never been more important for business owners to understand the laws and regulations, and how to mitigate against potential risks.
Rob Rees, Divisional Director at Markel Direct, explains the regulatory requirements for businesses when it comes to cyber security and how to navigate them to keep both your business and customers safe. What cyber security laws and regulations do UK businesses need to be aware of? There are currently four main laws and regulations that businesses need to be aware of when it comes to cyber security. These are:- The Data Protection Act 2018: The Data Protection Act 2018 (DPA) governs the processing of personal data in the UK, ensuring that organisations handle personal data lawfully and protect individuals' privacy rights.
- UK GDPR and EU GDPR: The UK GDPR and EU GDPR are comprehensive data protection regulations that set out rules and principles for the processing of personal data, aiming to safeguard individuals' rights and freedoms across the United Kingdom and the European Union. Prior to Brexit in 2020, the UK followed the EU GDPR regulations, but a UK version has since been created. Businesses that serve EU customers, however, will still need to comply with both.
- Network and Information Systems Regulations 2018: The Network and Information Systems (NIS) Regulations require operators of essential services and digital service providers to ensure the security of their network and information systems, reducing the risks of cyber threats and disruptions to critical services.
- Computer Misuse Act 1990: The Computer Misuse Act 1990 is legislation in the United Kingdom that criminalises unauthorised access to computer systems, unauthorised access with intent to commit further offences, and unauthorised modification of computer material.
- Conduct a risk assessment
- Create a cyber security policy
- Guidelines for employees: Every comprehensive cyber security policy should incorporate an employee-friendly guide covering secure password practices, email usage protocols, phishing detection, social media guidelines, risk mitigation strategies and specific instructions for remote workers, including network access protocols.
- Compliance with wider regulations: Adhering to standard GDPR regulations is also essential. Key policy components include obtaining data transfer consent, the process for notifying the Information Commissioner’s Office of a breach within 72 hours, granting users data deletion and access rights, offering comprehensive explanations of user rights, and, where relevant, outlining procedures to protect children's data.
- Systems and infrastructure: Provide details on software/programs used to safeguard data, such as how they work, what they do to protect information and tips on how employees should use these programs, if necessary. You should also include how your business trains IT workers to keep digital systems safe from threats and vulnerabilities. Outline fully their role in both preventing a cyber-attack and what should happen if one does occur, ensuring they’re fully aware of their responsibilities.
- Cyber-attack response: It's important to also outline the company’s response in the event of a cyber-attack. This should be included in the policy by outlining responsibilities for investigation, timely client communication, incident reporting, reviewing insurance coverage, and ongoing employee training, ensuring compliance and responsible action in the event of a breach.
- Invest in employee training
- Implement cyber security measures
- Ensure you are protected should the worst happen