Last Word: GDPR could help Europe take the lead for breach notification
Companies operating in Europe have until 2018 to comply with compulsory breach notification under the EU GDPR or face heavy fines, but Gant Redmon says this could be a good thing for the industry and provide a global legislative model
Gant Redmon, general counsel and VP of business development, Resilient Systems
Agreement of the General Data Protection Regulation (GDPR) has necessitated a great deal of change for businesses, creating a whole new set up of rules that companies operating in Europe will have to learn to comply with before the regulation becomes law in 2018.
One of the most significant changes is compulsory breach notification. Going forward, breach notification will apply in all EU member states with mandatory reporting to the proper channels within 72 hours from the point of detection, or else incurring harsh fines. This aspect of the GDPR is a dramatic change for many organisations reluctant to have their breaches made public.
But there are strong upsides. Breach notification shines a light on the frequency with which unintended parties access personal information. With that knowledge, people are more likely to guard their personal information and mind their security practices such as using different passwords for different accounts. And with the GDPR, the EU will have the most streamlined breach notification system in the world. That is because the EU gets to build breach notification from scratch, as opposed to the state-by-state roll out that happened in the US.
While the US developed breach notification regulations, different states have different laws. Three US states have no breach notification provisions. Conversely, the EU will have a common definition of personal information, rather than the different definitions in the US. Much in the same way that under-development in telecommunication infrastructure allowed Africa to lead the way in the uptake of mobile and wireless communications, the starting-from-scratch position is exactly what will allow Europe to take the lead on breach notification.
Europe's GDPR could quickly become the leading example of cross-market standardisation. As a regulation rather than a directive, the legislation is binding across all 28 member states, without requiring new regulation in each country. This uniformity – ultimately reducing 28 sets of data protection laws into a single regulation – will make compliance a far easier issue for organisations present in multiple European countries.
Organisations should bear in mind that, while the GDPR brings along change, it's designed to help organisations comply with privacy regulations, as well as protect the public's data. The GDPR has the opportunity to clarify how organisations should handle, store, and protect data, making it easier for companies to comply and avoid penalties. It will only succeed, though, if standards are clear and objective rather than broad and ill-defined.
A move towards stronger data breach notification requirements is inevitable in the current security climate. The good news about the GDPR is that once businesses are in compliance, they will be compliant for 28 different markets – making the regulation far less complex and challenging than others we've seen. And if the GDPR proves to be successful, we hope it can serve as a standard for other regions to replicate.