The EU last night agreed new rules on data protection which mean organisations can be fined up to four percent of global turnover for breaching the new laws.
The General Data Protection Regulation (GDPR) has been in the works since 2012. A central point of discussion between the European Parliament, European Council and Council of Ministers has been the level of fines which could be imposed for breaches of the law.
The Council has called for fines of up to two percent while the Parliament's version would have increased that to five percent. In apparent compromise, the figure has been set at four percent.
The GDPR provides for the harmonisation of data protection laws throughout the EU. Once the Regulation comes into force, member states will have two years to write it into national legislation.
It also extends the scope of EU data protection law to foreign companies processing data about EU residents.
It also tightens up the rules regarding data subject consent, with a new requirement for the consent to be explicit and for specific purposes. Consent for children under 13 will have to be verifiably given by a parent or guardian. Importantly, there must also be easy means for consent to be withdrawn.
Immediate reaction from the industry has been mixed.
Nigel Hawthorn, chief European spokesperson at cloud security company, Skyhigh Networks, believes this is positive news for the consumer. “This is an early Christmas present and we welcome the GDPR text publication. Consumers are rightly concerned about their private information being lost by organisations and it's great to have clarity on the regulations. Now enterprises and cloud service providers worldwide need to study them and ensure that their procedures and technology are in place to conform”.
Dr Elizabeth Maxwell, PC.dp Member IAPP and EMEA technical director at Compuware said: “The new rules coming into force with the agreement of the EU Data Regulations pose a major challenge for all companies that collect and store personal data. First and foremost is the need to be in control of where any personally identifiable information (PII) resides within their systems. This might sound pretty simple, but it's far from it; organisations not only need to consider their own back-end databases and backups, they also need to consider any data being used by outsourcers, partners or cloud service providers they're working with. In many cases, data could even be in use outside of the EU – in the systems of an outsourcer developing mainframe applications for the business, for example. This would instantly create a breach of the new EU regulations unless the proper controls were in place.”
Tony Pepper, CEO of Egress Technologies, said: "This regulation is set to really shake things up forcing companies to scrutinise how they process and handle data. In particular, the ruling that they must report breaches 'that are likely to harm individuals' has the potential to expose a swathe of breaches that are currently being swept under the carpet - and the corresponding fines are likely to be keeping a few CFOs awake at night! Now that a decision has been made, boards across Europe need to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their data so they're prepared for when the regulation is enforced. We can see from previous breaches, that it is the small slip ups, caused by human error, that have been the most common and largely the most damning. These are the errors that, until now, some organisations have not necessarily had to confess to. The weakest link in the chain is your workforce and even with the best technology and will in the world, changing habits and getting user buy-in takes time - so you should start now. Matching security policy, with user training and education, alongside smart, user-intuitive technology is the only way forward."