European Parliament passed the final vote yesterday for the new General Data Protection Regulation (GDPR), ending four years of discussion and a complete overhaul of the EU’s data protection rules dating back to when the internet was in its infancy.
EU officials say these approved new data protection rules, which will come into force in 2018, will strengthen online privacy, streamline legislation between the 28 member states and boost police and security cooperation.
The new law adopts a ‘privacy by design’ philosophy designed to give citizens control over their own private information in the digitised era of smartphones, social media, internet banking and global transfers, ensuring a fundamental right to personal data protection.
> See also: Cloud appeal: The EU’s General Data Protection Regulation is set to re-ignite the world’s love of cloud
This school of thought minimises the collection of personal data, accounts for where it resides, calls for its deletion when necessary and restricts access to only those who need it, while keeping it secure through its entire lifecycle.
Protections include a universal ‘right to be forgotten,’ the need for clear consent by the data owner over the processing of their private information, as well as clearer explanations from data handlers on privacy policies and the right to move to a different service provider.
‘The regulation will also create clarity for businesses by establishing a single law across the EU,’ said Jan Philipp Albrech, who helped steer the legislation through parliament. ‘The new law creates confidence, legal certainty and fairer competition.’
But it’s not all good news for organisations handling data: the law will hold them fully accountable for implementing technical and organsational measures as part of a comprehensive data governance policy, such as nominating a Data Protection Officer and investing in new technologies, as well as providing a lot more documentation and conducting regular assessments.
Businesses that don’t do the work and are found to be in breach of EU data protection law will soon face tougher penalties, with fines of up to 4% of a company’s total global annual turnover. There will also be a requirement for companies to disclose personal data breaches within 72 hours.
Tony Pepper, CEO, Egress Software Technologies warned that the GDPR is really going to shake things up – and companies are simply not ready for it.
‘There are huge fines involved,’ he said, ‘Not to mention the wider reputational damage a company can suffer if it is exposed to a breach. This could easily put some out of business. In light of this, information security needs to be a top priority, not just for risk managers or IT teams, but for board-level executives too.’
Recent research has shown that 87% of CIOs admit they would be left exposed if the new regulations came into force today. While many (74%) are committing to tightening up data sharing processes in response, only 20% are focusing on accidental breaches, despite research showing human error is responsible for 93% of incidents.
> See also: Five things you need to know about the proposed EU General Data Protection Regulation
With nearly half (49%) instead making external cyber-attacks their main priority, companies are running the risk of applying too much emphasis on one aspect of information security to the detriment of other areas of significant risk.
‘There is little point securing the business from a hacker if the reality is an employee will make a mistake,’ said Pepper. ‘For example, sending confidential information via email to the wrong person – and expose the organisation to financial penalties and loss of customer confidence any way.’
Organisations therefore need to understand the sensitivity of information from point of creation, to encryption when it’s at rest on a corporate network or shared with third parties. Control and auditing are paramount to this – especially in light of the GDPR.
‘If, for instance, data is sent in error, the ability to immediately prevent a recipient from viewing that content and provide a full report of the actions taken with it will form an integral part of a company’s defence,’ said Pepper. ‘Reassurance that the effects of a data breach have been mitigated are important not only for the regulators but also for customers too.’
‘With such an overhaul to the way they process and handle data on the horizon, organisations need to act now to make sure that when regulators come knocking, they can demonstrate they have the correct systems and procedures in place.’