The EU has been busy in the cybersecurity department, and for good reason. Given Europe’s ever-rising cybercrime rates, a new approach to data protection was in order. This cued the GDPR and the NIS Directive, which deal with the protection of personal data, and the protection of critical IT systems respectively.
The bridge that connects these two new pieces of legislation? Accountability. With both GDPR and the NIS Directive securely in force, it truly seems to be the case that we are ushering in a new digital era – one with accountability, trust and data security at its core. How does accountability connect GDPR and the NIS Directive, and what does it mean for EU businesses?
What is accountability?
Accountability in data protection is a principle that’s been around since the 1980s. The term ‘accountability’ refers to an obligation on individuals and businesses to be held responsible for their data protection actions and activities, and to accept liability for data breaches.
Accountability cannot be an occasional thing. Businesses need to consider themselves accountable for their actions and (mal)practices at all times. So, to achieve accountability, teams, managers and brands all need to take ownership of the risks they’re imposing on their customers.
The GDPR and accountability
The General Data Protection Regulation explicitly classifies the principle of accountability in Article 5(2) and Article 24. Now, not only do business need to implement both technical and organizational policies to protect data, they must be able to prove that these data processing policies are GDPR compliant. These processes must also be regularly reviewed and updated when necessary.
The accountability principle of GDPR places an obligation on companies to take ownership of, and responsibility for, the protection of customer data and it’s not just the processing of data that business are to be held accountable for.
The new emphasis placed on both privacy and security by design, also outlined in GDPR, demonstrates that data protection must be woven firmly into a business: data protection must now be a cornerstone of business practices. The ways a company collects, processes and uses its data are all under scrutiny, and the company will be held accountable for failures. GDPR is weaving a new culture of data security and accountability.
Accountability and the NIS directive
Though less explicit than GDPR, the directive on the security of Networks and Information Systems (the NIS Directive) also promotes a principle of accountability. The NIS Directive focuses on the accountability of the businesses and companies that are classed as ‘essential services’. It aims to ensure the security of any critical IT systems in central sectors of the economy.
The NIS Directive, while focusing on protecting data in critical systems instead of the personal data of customers only, still ties in with the accountability principle of GDPR. Operators of essential services are now required to ensure the security of their critical IT systems, manage any risks posed to the security of these systems, and take measures to reduce impact if an incident with a critical system is breached. They are also obliged to report incidents that will affect the continuity of these systems.
So, just as with GDPR, the NIS directive is placing accountability on businesses to step up to the cybersecurity plate and give customers peace of mind.
Business benefits of accountability
A new age of accountability doesn’t mean that organizations are losing out. In fact, a new accountability culture could mean several benefits for businesses and organizations.
For example, when something goes wrong and people are held accountable, they will actively seek solutions and fixes. This mitigates damage and keeps a business, service or product on track. However, when no accountability for such errors or incidents exist, people can end up failing to search for solutions – they have no perceived responsibility to fix the issue.
A new age of accountability also gives businesses a new area in which to compete. Businesses can present themselves based on how they respect the privacy of customers – which then becomes a factor for individuals to consider when deciding who to do business with.
Finally, accountability generates trust. When customers know that businesses are accountable for their data, there’s less risk involved with sharing it – businesses have as much of an incentive to protect it as the individuals do themselves.
The journey to a new age
Thanks to GDPR and the NIS directive, companies are now adopting a new culture of accountability when it comes to data protection. We’re regaining control of our personal data under GDPR, while the systems that keep our world working are being protected.
GDPR and the NIS Directive are the first few steps into a changing culture and mindset when it comes to data security. We have started the journey into a new age of accountability, and it is benefitting businesses and data owners alike.