Driven in part by the onslaught of high-profile data breaches, such as Target, Sony, Anthem and Ashley Madison, the European Union (EU) is reforming its data protection legislation. The “General Data Protection Regulation (GDPR)” will replace the 1995 Data Protection Directive and is expected to go into effect in early 2016 with enforcement starting in 2018. Since it’s a regulation and not a directive, it is binding across all 28 EU member states without requiring legislation in each country.
Designed to unify how the EU collectively addresses data privacy and security, the GDPR introduces significant data privacy and protection reform. The regulations will apply to European businesses that process personal data; and businesses outside the EU that monitor EU citizens or process personal data obtained from offering goods or services to EU citizens.
One of GDPR’s major strengths is that it clarifies how organizations should handle, store and protect data, making it easier for companies to comply and avoid penalties. Among the new requirements, organizations will need to:
- Develop and implement a process to test and evaluate the effectiveness of security policies.
- Identify where and how personal data is stored; and determine in what state to include the use of encryption.
- Ensure that data transfers outside the EU comply with GDPR.
- Accommodate the right for individuals, within reason, to request that data pertaining to them be “forgotten”.
One key provision in the GDPR focuses on data breach notification. Prior to the GDPR, Europe had some of the strongest privacy regulations in the world except when it came to breach notifications. Going forward, organizations suffering a breach must report it to the proper channels within 72 hours from the point of detection or else incur a steep fine. This is important because, as observed in some of the more prolific breaches that have impacted millions of customers, organizations that promote transparency and provide timely information updates are better able to preserve customer trust.
Non-compliance with the new regulations will have fierce consequences. According to one news source, those companies that fail to comply could be required to pay anywhere from 2-5 percent of their global revenue, or as much as 100 million Euros, whichever is higher.
The GDPR is likely to present increased compliance challenges for many organizations in that it requires organizations to adopt appropriate technical and security measures as part of the compliance process. Organizations will have to review their current practices and be prepared to make extensive changes where necessary.
While the GDPR raises the bar for compliance and introduces steep fines, the pay-off is that it reduces 28 sets of data protection laws to a single regulation, dramatically reducing compliance costs, complexity and uncertainty over reporting. Uniting 28 states under a commonly accepted security law can potentially facilitate other foreign government-to-government engagement on data security issues, particularly as it relates to business operations. In this regard, the EU may have taken the first step in demonstrating that regionally driven security standards are a possible way forward.