The long-awaited European Union General Data Protection Regulation (GDPR) has passed its final legislative hurdle and is now on course to land in 2018, reshaping the way organizations across the region approach data privacy.
First proposed back in 2012 by then Justice commissioner, Viviane Reding, the GDPR will impose a series of strict new requirements for organizations, designed to harmonize laws across Europe and protect the privacy rights of citizens.
Key among the new rules are the right-to-be-forgotten, mandatory data breach notifications, mandatory data protection officers and fines of 4% or €20m for serious breaches of the new law.
“Today's vote marks a significant achievement, and the culmination of over four years of hard work with the European Parliament, the Council, business, civil society and other stakeholders,” read a joint statement by Justice commissioner Vera Jourová, first VP Frans Timmermans, and Digital Single Market VP, Andrus Ansip.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”
KPMG privacy lead, Mark Thompson, argued that there’ll be a lot of hard work for EU and non-EU firms to do before 2018.
“For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU,” he added. “This makes it much harder to operate certain ‘global’ services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market."
Tony Pepper, CEO of encryption firm Egress Software Technologies, argued that organizations will need to protect data through its entire lifecycle.
“Control and auditing are paramount to this – especially in light of the GDPR,” he added.
“If, for instance, data is sent in error, the ability to immediately prevent a recipient from viewing that content and provide a full report of the actions taken with it will form an integral part of a company’s defenSe. Reassurance that the effects of a data breach have been mitigated are important not only for the regulators but also for customers too.”
David Mount, director of security solutions consulting EMEA at Micro Focus, advised organizations take a pragmatic approach.
“Understand what data you hold, how you are using it, and make sure that you are practising good data hygiene by limiting access to data to only those who need it, and ensuring that authentication protocols are up-to-scratch for those users,” he explained.
“Businesses should also consider deleting data that is no longer required so that it does not become an unnecessary risk.”
However, not everyone welcomed the new rules.
Non-profit Washington-based think tank the Information Technology and Innovation Foundation (ITIF) branded the GDPR a mistake and urged European lawmakers to “turn in a new direction.”
“The new regulation’s intent may have been to give citizens control of their personal data, but its provisions will be onerous in practice—like trying to sail with an anchor overboard,” it said in a statement.
“Large, medium-sized, and small businesses, entrepreneurs, civil society groups, and government all will have an unduly hard time using data to start new ventures, expand well-established ones, or enrich European citizens’ lives by discovering solutions to challenges in health care, education, or the environment.”
Organizations now have until 4 May 2018 to get compliant – around 750 working days.