“The Network Information Security Directive and the General Data Protection Regulation”

The OIL & GAS Sector must be prepared for “The Network Information Security Directive and the General Data Protection Regulation”

Oil & Gas Vision spoke exclusively to Aberdeen Security Training Company, OSP Cyber Academy and their Chief Training Officer Richard Preece, here is what Richard had to share with our readers.

May 2018 will see coming into effect of not one, but two, potentially far reaching pieces of new legislation: the Network Information Security Directive (NISD) on the 10th May and General Data Protection Regulation (GDPR) on the 25th May. Wait you may say, this is EU legislation and Brexit means Brexit, surely, they won’t apply in the UK!

However, the reality is, the British Government is not only bringing NISD and GDPR into British law, they are actually adding additional penalties. This includes new corporate and individual criminal offences in the case of the Data Protection Bill, which will incorporate the GDPR into British law and replace the current Data Protection Act 1998 (DPA 98). Whilst the current Government consultation on the proposed Security of Network Information Systems introduces similar provisions for potential Administrative Fines of £18m or 4% of global revenue, whichever is higher for Operators of Essential Services (OES). Why is this happening and what does all this mean?

We are now in what has been sometimes describes as a new Digital Age, that is increasingly hyper-connected, complex, dynamic and uncertain. This creates new opportunities for growth and innovation, but also creates new vulnerabilities, whilst exacerbating often known but previously not-fully addressed risks. The potential impacts of these upon individuals, organisations, the economy and society are not always simple to understand, therefore the risks have not always been effectively managed. The trend is clear, more digitisation for greater growth and prosperity, but with it greater and often new risks. This has driven the flurry of new legislation in the UK, EU and elsewhere in the world, including the United States. NISD and GDPR are an indication of more to come, not the limit to the legislative environment. So, it is time for companies to start approaching this at Board level and integrating cyber resilience and data protection into their core strategy and business as usual. What can and in fact must they do? Both NISD and GDPR introduce the concept of Security by Design (Security of Network Information Systems Consultation Paper) and Data Protection by Design and By Default (GDPR, Article 25). Both effectively work on the same approach, although NISD is focused upon protecting OES, whilst GDPR is focused upon protecting data subjects (all of us), privacy rights and freedoms.

Practically that means, seeking to design from the outset to prevent vulnerabilities (people, process and technology based) from occurring; in the high likelihood that vulnerabilities do occur, they are identified, mitigated and controlled; and if the protection fails, whether through malicious cyber-actor’s actions, or non-malicious failure, to ensure that there is the capability in place to detect, respond and recover, to mitigate the consequences. For those in the Oil and Gas sector, who are classed as OES, it means that cyber-security incidents will have to be reported as a matter of routine to the Department for Business, Energy and Industrial Strategy (BEIS) as the nominated competent authority. Whilst if a personal data breach is involved the Information Commissioner’s Office (ICO) and potentially the individual data subjects will have to be informed. Inevitably that will almost certainly lead to investigations and additional liaison with the National Cyber Security Centre (NCSC) and the appropriate law enforcement agencies. Having a tired and tested plan, with appropriately trained people is now not just a nice to have, but an explicit requirement for both NISD and GDPR. OSP Cyber Academy has recognised the increased business challenge this has created and designed and developed GCHQ Certified Training (GCT) Scheme.

Awareness and Practitioner Courses for GDPR Data Protection and can provide bespoke NISD and GDPR courses and scenario workshops to help organisations prepare for the future. Given all of the obvious Cyber Security and Data Protection issues now at stake, it was a natural choice for OSP Cyber Academy to join forces with Restrata and utilise their purpose built, Incident Management Centre now supporting every aspect of training and support for the Oil & Gas Sector. Chief Training Officer at OSP Cyber Academy recently said “the Restrata facility is the perfect centre for every aspect of Incident response, both for the Oil & Gas Sector and Cyber Resilience Industry, both of which work hand in hand” we look forward to continue delivering our comprehensive GDPR and Cyber Resilience training exclusively with Restrata here in Aberdeen. Richard has been very busy supporting the Scottish Business community and oil & gas sector delivering keynote presentations in Aberdeen at GDPR Summit Aberdeen, and Security In Energy ADIPEC where many UK and Aberdeen companies now support the growing demand for expertise in every sector of the Energy Industry.

Shopping Basket