NIS and the UK GDPR
At a glance
- The GDPR and NIS address different things – the UK GDPR concerns personal data, whilst NIS concerns the security of systems.
- However, there is considerable overlap between the two due to the UK GDPR’s provisions on security and the likelihood that most organisations covered by NIS will also be data controllers (or even data processors).
- The ICO is the UK’s data protection regulator. This means that we already regulate both OES and RDSPs, but only in the context of data protection law where they are data controllers.
- NIS requires OES and RDSPs to notify their competent authorities if an incident takes place. Where an incident is, or becomes, a personal data breach, then you also need to inform the ICO separately from our function as the competent authority for RDSPs.
In brief
- Are NIS and the UK GDPR the same?
- Does the ICO regulate OES?
- Can a NIS incident also be a personal data breach?
- Who do we report to?
- Can we get fined twice?
Are NIS and the UK GDPR the same?
No. The two laws are intended to address different things. NIS concerns the security of network and information systems and the digital data within them whilst the UK GDPR concerns the processing of personal data.
Whilst security and data protection go hand in hand, they’re also not the same. In this sense, NIS is actually broader than the UK GDPR, as it covers ‘digital data’, which does not just include personal data but any data relating to the network and information system and its provision and continuity.
Additionally, ‘digital data’ by default means that any manual data is not covered by NIS, unlike the UK GDPR where manual data is covered where such data forms part of, or is intended to form part of, a filing system.
At the same time, NIS applies to fewer organisations than the UK GDPR. Unless you are an OES or RDSP, NIS will not apply to you – your security obligations will instead come from the GDPR.
Does the ICO regulate OES?
Not in the context of NIS. However, both OES and RDSPs are likely to be controllers and in some cases processors under data protection law. Where personal data is processed, the ICO has a regulatory function – but this concerns the UK GDPR, not NIS.
In practice, there may be considerable overlap due to the UK GDPR’s security requirements and those of NIS. For example, the UK GDPR also includes the classic information security concept of the ‘CIA triad’. This means that there’s a much greater alignment between the requirements of the UK GDPR and the NIS Directive.
Further reading
Please see our guidance on UK GDPR security principles for more information.
The UK GDPR applies to any organisation processing personal data. NIS only applies to OES and RDSPs.
Can a NIS incident also be a personal data breach?
Yes. It is likely that organisations covered by NIS are controllers or processors under the UK GDPR. As such, it is possible that a NIS incident could also be a personal data breach as defined by the UK GDPR.
The NIS Directive recognises this in Recital 60, which says:
‘Personal data are in many cases compromised as a result of incidents. In this context, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle any personal data breaches resulting from incidents.’
Regulation 3(3)(f) of NIS specifies that competent authorities must:
‘consult and co-operate, as appropriate, with the Information Commissioner in addressing incidents resulting in breaches of personal data’
The reason for this is that in practice, personal data may be processed on network and information systems, particularly for both essential and digital services.
Firstly, whilst NIS concerns ‘digital data’ relating to the operation, use and maintenance of computer systems, this data could include personal data depending on the circumstances. This could mean that the NIS incident is also a personal data breach simultaneously.
Secondly, a NIS incident may lead to a personal data breach - for example, where a cyber-attacker has undertaken an initial attack on a service and subsequently compromises personal data that the service processes, such as customer information. The initial attack and its disruptive effect could comprise the NIS incident, whilst the subsequent unlawful access of personal data could comprise the personal data breach.
Example
An OES is subject to a cyber-attack that causes a substantial impact on the provision of its service. It reports this incident to its competent authority within 72 hours of becoming aware of it.
The OES then establishes that the incident also resulted to its customer database being unlawfully accessed by the attacker. This means that a personal data breach has also taken place, and the OES must notify the ICO of this in accordance with the UK GDPR’s requirements on breach reporting.
Not every NIS incident will cause a personal data breach. It may be useful to remember that, in information security terms, all personal data breaches are considered incidents, but that not every incident will involve a personal data breach.
Further reading
Please see our guidance on personal data breaches for more information.
Who do we report to?
Depending on your circumstances, you may have to report an incident to both your competent authority (under NIS) and the ICO (under the GDPR). If you are an RDSP, our NIS incident reporting tool allows you to indicate whether personal data has also been compromised.
The UK GDPR is an entirely separate piece of legislation from NIS. If you are covered by NIS but are a controller or processor then the UK GDPR’s obligations apply to you in addition to your requirements under NIS.
You may have to notify two separate regulators about the same incident – your NIS competent authority, and the ICO (if the same incident is also a personal data breach). You have to make both notifications without undue delay and within 72 hours of becoming aware, where feasible. If you are a data processor, you must notify your controller without undue delay so that it can notify the ICO within 72 hours, as required by the UK GDPR.
It is however possible that you may not know if the NIS incident is a personal data breach immediately. For example, after notifying your competent authority within 72 hours, your subsequent investigation discovers that the incident has also led to a personal data breach. At this point, you have 72 hours to notify the ICO.
Can we get fined twice?
As the UK GDPR and NIS are separate laws, it is possible that you may be subject to regulatory action under both. However, any action might relate to different aspects of the incident and the potential infringements of the specific laws in question.
The ICO will work closely with other competent authorities and the NCSC so we will maintain a common approach. However, if a NIS incident is also a personal data breach, we have specific regulatory functions that we have to follow which are entirely separate to the NIS Regulations.
Any regulatory action we take, be it under NIS, the UK GDPR, or both, will be appropriate and proportionate to the failure identified.