The sun has come up on a new Europe. It was only yesterday that the European Union agreed on the terms of the General Data Protection Regulation (GDPR), a law which though not yet ratified by the European Parliament, will set a fundamentally changed landscape for the protection of data.
The new regulation introduces a number of important regulations including an upper bracket fine of four percent for breaching the regulations.
Consent to use one's data will now have to be much more explicit than it previously was – no long iTunes data contracts anymore. Companies will now have to appoint a data protection officer, the liaison between the company and the European authorities and the point at which the buck stops for enforcing the GDPR.
Privacy as a ‘built in feature' will also take centre stage as the regulations exhort companies to emphasise privacy from the initial stages of making their products.
It won't just apply to companies based in the EU either, but anyone who offers services within the EU, landing a great deal of the world's companies under the GDPR's sovereignty. But hey, at least there will only be one supervisory authority to deal with this issue as opposed to the previous encumbering glut of 28 different regulators, all speaking their own language.
SC reached out to the industry to see what they thought of this new Europe and how this massive landscape change will affect them.
Andrew Rogoyski, head of cyber-security at CGI, an IT company, told SC that the GDPR coupled with the recent passage of the Network Information Security Directive last week means “there is now a powerful force for change in cyber-security being driven through Europe”, and it “should drive some real behavioural changes in how organisations secure sensitive data.”
Because the GDPR will apply to anyone operating in Europe, “it will have a profound effect on data protection and security across the globe.”
Now that the right to be forgotten is set in stone, Rogoyski remains a touch sceptical about its real world application: “How practical this is remains to be seen. It may simply revert to the right not to be found, rather than be forgotten.”
“Businesses that are data rich just won't be able to look the other way with the new GDPR,” said Vinod Bange, partner and head of the UK data protection/privacy practice at Taylor Wessing.
Slacking will no longer tolerated with this update to outdated and often vague laws: "The current laws, dating back to the 1995 European Directive, have become outdated in many ways. For a start, they don't tell you what is expected in terms of 'how' to demonstrate compliance. The GDPR looks to adopt prescriptive rules around how organisations will need to demonstrate that they comply with the GDPR."
Deema Freij, global privacy officer at Intralinks, said research carried out by Intralinks and Ovum showed 66 percent of global companies will review their strategies in some European countries.
The four percent upper bracket fine detailed in the GDPR, said Freij “will likely surprise businesses, especially given our research, and the fact we thought this wouldn't surpass two percent.”
There will no doubt be a shake up of the way businesses handle data in Europe, said Michael Hack, senior vice president of EMEA operations at data security firm Ipswitch, offering some insight on the toll the GDPR may take on businesses in Europe: “Whilst unifying data protection across international borders is undoubtedly an important, if not imperative step, the burden now falls to businesses to count the cost of this compliance.”
Hack cited recent research, carried out by Ipswitch which showed that two-thirds of IT professionals say that keeping up to with the recent regulations will be a financial burden on their business. One in five, though they admitted to storing and processing personal data, had little idea whether the new regulations would affect them.
Still, said Hack, “Whilst the financial burden of compliance might be a hefty one for UK business, it looks like the burden of non-compliance will be a whole lot heftier.”