Last week we reported that the EU Parliament and Council had agreed on a text for the long-awaited General Data Protection Regulation (GDPR).
The agreement for the GDPR could lead to fines of up to 4% of annual turnover for firms which break the rules; mandatory notification of “serious” breaches to the relevant national supervisory authority; a single regulator for multi-national companies wherever their HQ is; the mandatory appointment of data protection officers; and large internet service providers will need to meet “right to be forgotten” and “right to data portability” rules.
This is mainly affecting businesses, but the public will also see the benefits of the GDPR in both the right to be forgotten and mandatory breaches, with extra security placed on social network age consent.
David Smith, former Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office (ICO) and now a special adviser to Allen & Overy, praised the end of the “trilogue” and achievement of political agreement. “The shape of the EU’s future data protection framework is clear, the finishing line is in sight and preparations for implementing the new Regulation can begin,” he said.
Phil Lee, partner in the Privacy, Security and Information group at European law firm Fieldfisher, called the GDPR “the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years”, which was more significant than Safe Harbor.
“Fundamentally, the regulation is about accountability,” he said. “It's about businesses not only being compliant, but being able to show they're compliant.”
Of the various opinions which fell into my inbox, there were claims that the regulation will push data privacy to board level for all companies, and require audits of existing and future business processes, IT systems, data strategy, and on interactions with business partners.
Bojana Bellamy, President of Hunton & Williams’ Centre for Information Policy Leadership (CIPL), said: “They will need to devise strategy for implementation of new requirements and then put in place compliance programs, new policies, procedures and systems. These are no small tasks.
“The two-year implementation period is not a long time in a life of an organisation and many may find they have a mountain to climb and may run out of time. Some organisations have been following the progress of the Regulation and its final text and are already starting to develop implementation strategies and preparing for change.”
Brian Honan, CEO of BH Consulting, told Infosecurity that while the new rules do put a stronger focus on the protection of an individual’s privacy, such as breach notification and privacy by design for any new services or systems, the new regulations are more an evolution of the current Data Protection rules rather than a revolution.
He said: “The good news for many companies is how the new data protection rules will provide one single set of rules across all EU member states, rather than the previous requirement of having to adopt to the unique data protection laws in each member state, making it easier for companies looking to trade in different jurisdictions.
“Companies that have good data protection governance in place already should not find the new requirements too onerous; however, others may find they have a steep learning curve to ensure they can meet the requirements. Companies should take the new requirements on board as part of their risk assessment processes and ensure the appropriate levels of security, training, and processes are in place.”
One of the key factors of the new directive is that it is focused primarily on operators of critical infrastructure in certain sectors (financial services, transport, energy, water and health) as well as “essential services” (such as internet payment, cloud computing and search engines). Member states will need to identify those essential services in their jurisdiction, and Andre Bywater, Principal Adviser-European Regulatory at Cordery, said that businesses will likely be asked in the individual Member States to take part in a consultation before the rules are implemented.
Initially, Bywater believed that the immediate steps are for the EU Council and the European Parliament to formally approve the new rules, which is expected in the first half of next year. EU Member States will then have to adopt the directive into national legislation within 21 months and also officially identify essential services operators from the sectors in question according to certain criteria within a further six months.
The GDPR follows a long process of deliberation over fines, installation of data protection officers and 24-hour notification procedures. Jonathan Armstrong, partner at Cordery, told Infosecurity that he believed that the 24-hour rule was always unrealistic. “No-one who's been in the room with a business dealing with a breach would ever think you can notify that quickly and from a public policy point of view,” he said.
“I think it's right to extend as otherwise people might report too quickly. Occasionally it is possible to catch the bad guys, but not if people report too quickly. It will be interesting to see the details but I also hope we'll see an extension of time for when law enforcement are on the scene like in the US.”
The other area of debate is on the level of fines for breaches, with up to 2% of annual global turnover previously reported to be anticipated. This means for large enterprises or banks, fines could run into millions or billions of pounds.
Honan said that the potential for fines should make companies realise the importance that data protection should play in their governance framework, and ensure the appropriate resources are applied.
“The requirement for a Data Protection Officer is also a welcome move and it means an independent person is responsible for ensuring the appropriate data protection practises are implemented within the company,” he said. “For many companies, this may require the appointment of a dedicated person, for others the role may be one that a member of staff takes on board as part of their normal duties.”
Jane Finlayson Brown, partner in the Allen & Overy data protection practice, said that the fining element was the most significant change, as infringements of certain provisions (e.g. international transfers or the basic principles for processing, such as the conditions for consent) attract fines of up to 4% of worldwide annual turnover, while a lower threshold of fines of up to 2% of annual worldwide turnover is set for other breaches (such as data minimisation).
I feel like I have been writing about the regulation for years, and in a few weeks it will mark four years since first moves were made to update the regulation. This is a fresh stepping stone to meeting data protection challenges in 2015/2016. When this passes and becomes law is anyone’s guess.
Photo © Rawpixel.com