The EU General Data Protection Regulation (GDPR) has passed final approval in the European Parliament today.
The final passage of the EU GDPR represents the fruit of four years of work, seeking to harmonise levels of data protection in all 28 members states of the EU.
The bill is also set to make data handling easier for enterprises operating within the EU; where there were once many sets of data laws, there is now just one.
The provisions laid out in the GDPR give citizens a better say in how their data is handled by private organisations. It lays out clear guidelines for how EU citizens' data is to be handled and their continued ownership rights over that data once it is in private hands. GDPR also comes with limitations on the use of private data transferred across borders by security services.
Furthermore, the GDPR comes with mandatory breach reporting requirements, meaning companies will have to start reporting breaches within 72 hours of become aware of it.
David Mount, director, security solutions consulting EMEA, Micro Focus told SCMagazineUK.com, that this might end up being a mixed blessing: “This will be a technical challenge for those businesses unaccustomed to such stringent measures: they will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks.”
That said, added Mount, the US, which already has breach reporting requirements has not been free from unforeseen outcomes: “In reality there can be an unintended consequence of ‘data breach fatigue'. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches”.
The effect is that “sometimes consumers can't see the wood for the trees, and may start to ignore all warnings - which somewhat negates the point of the measure. “
Breaking the provisions could result in the regulatory iron fist being brought down upon whichever company overlooks them, in the form of a fine of up to four percent of global turnover.
Ross Brewer, vice president and managing director of EMEA at LogRhythm told SC that organisations will now have to wise up to the security of the data they hold: “This new regulation is being called the biggest shake up to EU data laws in the past 20 years – and they're probably right. If organisations continue to plead ignorance when it comes to IT security, they will sadly suffer the consequences, which are getting more and more severe.”
Anthony Merry, head of data protection at Sophos told SC that his company's advice is not to ignore legislation and think that you won't be fined: “Businesses need to review their data protection policies and technology to check they are compliant, and should not be shy of reaching out to their local regulatory body or to a trusted consultant for advice to ensure they get it right.”
“The new regulation should therefore make data protection a board-level issue, since this is a signal to all companies who do business in the EU that they need to get more serious about the need to protect their customers' data”, said Merry, “while this means some further investment for many companies, the EU economy will ultimately benefit as customers become more confident transacting online with EU companies.”
GDPR is set to come into force in 2018, so companies have two years to realign their data policies with European regulation. Member states will also have two years to harmonise their data legislation with Denmark, the UK and Ireland given special status regarding their implementation.
While there will be regional difference in implementation, William Long, a partner at law firm, Sidley Austin, told SC, “there are still a number of issues where some member states have fought successfully to implement their own national law requirements, for instance in the area of health data, and this will no doubt lead to certain complexities and inconsistencies.”
However, said Long, “organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the Regulations.”
Worse news comes from the judgement on another landmark piece of privacy regulation, Privacy Shield. It was meant to govern the transfer of data between Europe, where privacy laws are particularly tight, and America, where privacy laws are less stringent. But the regulation's Working Group announced yesterday that it was not sufficiently robust to protect against American domestic surveillance, the weakness for which it's predecessor - Safe Harbour - was struck down in European courts.
Luca Schiavoni, senior analyst for regulation at Ovum explained to SC by email that, “Since the EC announced the key points of its deal with the US authorities, concerns have emerged about certain aspects, such as the many exceptions under which the bulk use of personal data could still be possible for US authorities. There are also concerns that the powers and independence of the ombudsperson, which should ensure that EU citizens have the ability to seek redress in cases of privacy breaches, are not clearly defined and guaranteed.”
While the Working Group's opinion is not binding, “it is unlikely that the EC [European Commission] will be able to ignore it. It represents the position of Data Protection Authorities of influential member states.”
Moreover, added Schiavoni, “If the European Court of Justice finds that the flaws of Safe Harbour have not been addressed in the Privacy Shield agreement, it will not hesitate to strike the latter down too. Companies affected by this agreement should prepare to face more uncertainty, because the deal is likely to undergo further amendments before it is finalised.”