Back in 1995 when the European Commission made directive 95/46/EC, the current set of rules governing data protection across Europe, only one percent of Europe was connected to the Internet and even less worldwide. The reason that the rules are subject to change however is because they do not account for any of the new technologies developed and commonly used today such as cloud technologies and social media.
The new laws announced are designed to create a single pan-European law that should show just how keen the European Commission, European Parliament and various government bodies are in Europe on improving data protection. The European Commission and Parliament and various related bodies met this week to discuss the laws again and most are predicting the law coming into force as soon as 2018.
Greg Iddon, sales engineer at Sophos, explained the benefits during his presentation. The idea is that there should be a single European law, rather than the current five directives, making it very easy to understand and put into action within a company.
The EC intends to act as a one stop shop supervisory authority, in order to avoid confusion over who can legislate on the topic.
All countries in the EU will have the same rules on data protection, not allowing any companies to store data in countries that are less protected, for example.
The benefits for citizens are claimed to include:
- The GDPR is designed to encourage companies to store data better and more securely, they could face huge fines if they don't.
- A lot of the GDPR focuses around getting rid of ambiguous terms and conditions. It will no longer allow for a simple 'tick this box to allow for X'; companies will have to explain exactly what is going to happen with the data, where it's going, how it's stored and who will have access to it.
- Another hot issue which the GDPR will cover is the 'right to be forgotten' and 'right to erasure' - the issue that was first brought to light in ruling C-131/12, when a Spanish man took Google Spain to the European court to force Google to remove search results about him that were no longer applicable, and were affecting his reputation.
- The GDPR wants to put people in control; if a company is collecting data on you, they must explain how long they plan to retain it, how it's encrypted and they are even considering developing a stop light system to tell you whether or not a certain website is a trustworthy place to enter personal details into.
- Finally companies are no longer allowed to transfer data between the EU and US, the European Commission recently ruled that the Safe Harbour laws no longer apply to data stored within the European Union as there is 'no adequate US equivalent'.
Employment contracts, vendor contracts, financial records and so on are all classified as personal data and should not be seen by anyone unless it is relevant to them, the new GDPR rules explain. Just because IT personnel have access to IT systems which store these files, it does not mean they should be allowed to view them.
The supervisory authority must be notified of a breach, and companies then have to communicate that there has been a breach to the subject it affects. A prime example of how not to handle this is a last year's eBay breach where the attackers had conducted a massive phishing attack that stole millions of data sets and no one was notified because for 225 days the attack went unnoticed.
To be ready for the new GDPR laws, organisation need to:
Apply measures to protect personal data - encryption is widely agreed to be best security measure.
Implement a clear data protection policy - one that even the company secretary can understand.
Appoint a data protection officer - to ensure there is company-wide adherence with EU policies.
If a company suffers from a breach and is found not to be protected, they will be liable to huge fines ranging in the 100s of millions, or five percent of total annual revenue.
It's not all bad news though, if you suffer a breach but your data is encrypted your fine will be reduced and you won't need to notify customers of the breach. It should be noted however you will need to keep logs to prove it was encrypted. The supervisory body will ask to see who has access to the data, from when and until it is encrypted as well. You will have to prove you took every step needed to protect your company data.
Which is why companies are being encouraged to have a rock solid data protection policy.
Companies must consider, how does the data flow into and out of their organisation? If they are using external data processors, they are encouraged to find companies that have stringent data protection policies and will work hard to keep the data safe. The same goes for keeping the Internet of Things safe when connected to the company network, and companies must establish policies regarding data protection of company data being used on private machines.
The way end users use the data and who has access to it must be taken into account. The last thing a company would want is a disgruntled employee stealing personal company data and then bribing the company, threatening to report them to the European Commission for a data breach.
Sophos were at IP EXPO 2015 and offered plenty of resources in getting for the new laws. On their website they are offering a 60 second EU Data protection policy compliance check, a sample data protection policy and white papers further explaining the new European data protection regulations.
They further highlighted the fact that this new legislation will go ahead as both the EC and EU regularly meet on the topic. Data protection is also getting significant media coverage, backed up by Edward Snowden's discoveries and large scale data thefts. And finally Sophos warned about the need to be ready to implement solid data security measures, and creating and communicating a solid data protection policy. Because it's better to be safe than sorry!