Mention the words ‘EU General Data Protection Regulation' into the ear of a CISO or senior IT manager and you'll likely see a shot of fear in their eyes, for this impending legislation has the potential to change not only privacy but business security practises too. CEOs may cast a worried eye over their balance sheets, and the law could have a far-reaching effect on everyone from HR teams to sales and marketing.
The law, which marks the first significant changes to European data privacy legislation since 1995, and in the UK since the 1998 Data Protection Act, has been under discussion since 2012 with a view to being fully ratified in 2015 and implemented a year after that. It introduces several dramatic changes as to how customer data is stored and how companies must respond in the event of a data breach.
For instance, the changes stipulate that companies will be fined up to €100 million (approximately £80 million) – or five percent of their global turnover – in the event of a data breach, while individuals have the “right to be forgotten” should they wish to change to another service.
In addition, explicit consent will be required for businesses looking to process data, while companies will need to inform users – paying or otherwise – of data breaches “without undue delay”. Initially, Justice Commissioner Vivian Reding wanted this timeframe to be just 24 hours, but Article 31 and 32 of the draft Regulation indicate that companies will have 72 hours to inform the regulator.
There are big changes around user privacy too; in addition to the “right to be forgotten”, the legislation indicates that end users have the right to transport data from service to service and that companies have valid consent to collect personal data.
Companies with more than 250 employees will be required to have a data protection officer and an impact assessment on specific risks, while all firms would have to publish contact information for a data controller. Privacy by Design by Default requires that data protection is baked into development of business processes for products and services.
Perhaps unsurprisingly, this has caused something of a frenzy in businesses. The proposed data breach fines are much larger than those handed out by the ICO, there are question marks over ‘false positives' as far as reporting breaches are concerned and the “right to be forgotten” – a huge issue in the recent Google Spain case – could cause bedlam on what data is rightfully collected and deleted. Previously, some companies reportedly assessed that it was often cheaper to pay a fine than meet compliance.
Is the directive a ‘lame duck'?
However, meeting this compliance is not a straightforward process, especially as there are still doubts if and when the EU Data Protection Regulation will become reality.
The first draft of the EU directive was issued some two years ago with the idea of the law becoming effective in late 2014 with a two-year sunrise deployment. However, subsequent squabbling in European chambers and changes to the proposal pushed it back and it seemed that it would never see the light of day.
That was until March, however, when the European Parliament approved the draft law. All 28 European Union member states gave the plenary vote the green-light, with the draft law being approved by 621 MEPs but rejected by 10. There were 22 MEPs absent.