From today the EU General Data Protection Regulation (GDPR), adopted in April 2016, will apply fully; its the end of the transition period, not the start, so the rules will be enforced, replacing the 1995 EU data protection directive.
If you are reading this, it's likely you know what the GDPR changes are, but many companies don't so before reporting responses, here's a brief reminder, as described by the EU, followed by some comments on what to do now - as there is more to do:
The rules aim to protect all EU citizens from privacy and data breaches while creating a clearer and more consistent framework for businesses.
Citizens will have better control over their personal data
One set of rules across the EU will guarantee certainty for companies
Stronger enforcement through fines
New rights for citizens:
a citizen has to give their "clear and affirmative consent" for their data to be processed;
the right to receive clear and understandable information about who is processing the data, what data and why;
the right to be forgotten: a citizen can ask for his/her data to be deleted;
the right to transfer data to another service provider (eg when switching from one social network to another);
the right to know when data has been hacked.
The new rules apply to all companies operating in the EU, even if these companies are based outside of the EU.
Warnings and orders or fines can be imposed on firms that are breaking the new rules. The maximum ceiling for fines in the most serious infringement cases is four percent of the company's total worldwide annual turnover.
“With the General Data Protection Regulation, the European Union sets a global standard and ensures that fundamental rights, consumer protection and fair competition are strengthened. For the first time, the same high level of data protection rules apply to everyone in the European Union; the new EU-wide rules replace a patchwork of 28 different national regulations,” said Rapporteur Jan Albrecht (Greens/EFA, DE). And it seems he is right, with the US and others now considering similar consumer protection.
GDPR also includes a directive on data processing for law enforcement purposes and a new set of rules on e-Privacy is also currently being considered.
Gretchen Scott, partner at Goodwin, emailed SC Media UK to comment: “We are generally seeing high engagement from non-EU businesses around preparations for the GDPR, with increasing urgency now the implementation date is upon us. US technology companies have been particularly focused on the GDPR, and have been taking a proactive stance to attract and retain their customer base.
“The law is nuanced and there is an astonishing amount of public misinformation offering differing interpretations on the scope of the law, so it is not surprising that people are confused. Clarification from the Commission on the extra-territorial scope is expected and will be welcomed.
Julie Cullivan, CIO, ForeScout adds that even now it's not too late to act, saying: “Businesses around the world have had years to prepare for this day - but only the coming weeks and months will show which organisations have really done their homework. The inevitable next wave of cyber-attacks will cost businesses with inadequate security solutions dearly if their networks and consumer data are compromised.
“To comply with GDPR and prevent this from happening, organisations need to have visibility into what data they have, where it sits within the network and what devices are accessing it. In the event of a breach, network access solutions that provide this kind of visibility will pick up any unusual activities and isolate compromised devices before they can cause any harm. Even with GDPR in place, it isn't too late for businesses to put these safeguards in place. They will just have to act fast as the next cyber-attack that could cripple them is already looming around the corner.”
Its findings indicate most organisations are not concerned about potential GDPR penalties, and as a result, many businesses aren't prioritising compliance. It reports that:
Only 14 percent of UK organisations, nine percent of EU and three percent of US organisations believe they'll actually be fined for not complying with the GDPR.
60 percent of IT professionals in the UK and 64 percent in other EU countries cite a lack of time and resources as the primary reason for missing the deadline.
One-third of IT professionals believe GDPR will make their jobs more difficult, and about 20 percent believe GDPR will make it more difficult for their whole company to do business.
40 percent of IT professionals in the US said the primary reason they will not meet the deadline is because it's not a priority for their organisation.
30 percent of UK businesses expect their IT department to spend more than 120 hours preparing for GDPR.
Robert Wassall, data protection lawyer and head of legal services at ThinkMarble commented in an email to SC Media UK: “Now the GDPR has come into effect, there are still many organisations that are underestimating the impact on them it will have. Much like the “Y2K” scare, some have thought that the whole thing has been a lot of hot air and hype which will blow over and be forgotten within a month.
“It's perhaps been easier for smaller businesses to fall into this mindset, with many simply focusing on getting on with business and leaving the headline-grabbing drama to the larger, big name organisations. SMEs have also often assumed that they are too small to be impacted by the GDPR, particularly those with under 250 employees. Anyone that has been clinging to this idea as a reason not to comply with the regulation is now in for a shock.
“GDPR impacts all companies holding the relevant datasets, regardless of their size. Firms with under 250 employees will receive some small concessions, but only in the form of exemption to documenting certain activities. Overall these exceptions are marginal and firms of any size must comply with all demands.
“However, if you find that your business still does not comply in some areas, don't panic! Identify these areas of non-compliance and place those in an order of priority by identifying the risk to your data subjects and your organisation.”
Michael Aminzade, VP Global Compliance and Risk Services at Trustwave points out that organisations must shift their thinking to the realisation that being compliant doesn't necessarily mean “secure.” “On the contrary, the real work is about to begin. Cybercriminals are becoming much more adept at stealing personal data to sell on the black market. It is imperative that the months of work conducted to map out where personally identifiable information resides and how it moves through an organisation is applied to keeping it secure. Regular compliancy assessments and ongoing security testing led by experts who can quickly identify gaps will greatly reduce the likelihood of a serious incident and associated fines.”
In fact Matt Walmsley, EMEA Director at Vectra says GDPR may be giving bad actors a place to hide: “GDPR is driving enterprises to encrypt PII for good reasons, however, an unintended consequence is that encryption can give cyber-attackers a safe harbour in which to operate with impunity. The hyper growth of encrypted communications is blinding traditional security solutions which are reliant upon deep packet inspection (DPI).
“Whilst enterprises are rightfully busy protecting PII and adhering to GDPR, they still have a responsibility to prevent, detect, and respond to cyber-attacks and intrusions to their network. AI helps with GDPR by getting ahead of the breach event by identifying discrete attacker behaviours within clear and encrypted communications, based upon its autonomous learning capabilities.”
The EU's PNR Directive (2016/681) also comes in to effect today
As if GDPR wasn't already enough, today also sees introduction of the EU's response to the threat of terrorism and serious cross-border crime.
Ray Batt, director border security programme at Unisys, notes that “The PNR directive states all EU members must supply passenger name record (PNR) data, information provided by passengers and collected by air carriers for enabling reservations and check-in's, for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Air carriers will have to transfer to EU Member States the PNR data they have collected in the normal course of their business and EU Member States must establish specific entities responsible for the storage and processing of PNR data, called Passenger Information Units (PIU). The Directive regulates the way EU Member States can use the PNR data collected and provides for the necessary data protection safeguards.