How will the EU General Data Protection Regulation affect you?
Data protection in Europe is on the verge of change. A couple of years after it was originally mooted, the EU General Data Protection Regulation should come into effect sometime in 2015 – an act that, in replacing a directive in place since 1995, will fundamentally alter the information security landscape across the continent.
In fact, a major hurdle for the regulation was surmounted late last year when Vera Jourova, the EU’s new justice commissioner, made clear that she would follow in the footsteps of her predecessor Viviane Reding and strongly support the reform. This ends residual doubt that the European Commission’s October reshuffle would turn out to be its death knell.
The EU General Data Protection Regulation looks set to be adopted in 2015, at which point EU organizations will have a two-year transitional period in which to comply with the new laws. Are EU organizations familiarizing themselves with the challenges ahead?
According to a recent study from Kroll Ontrack and Blancco, awareness of the incoming regulation is actually remarkably low across Europe. From a poll of 660 IT managers, the firms found that four out of five (81 per cent) were unfamiliar with the EU General Data Protection Regulation. This was despite the fact that when it was explained to them, the majority (57 percent) of respondents acknowledged that it would affect their business.
Could you be among them? Here are some of the most significant changes of the new regulation:
One Law for Europe – and for those that Handle EU Residents’ Data
Once adopted, the EU General Data Protection Regulation will supersede the EU Data Protection Directive – a legal act that, like all EU directives, has to be implemented and enforced on the state level. In the UK, for example, it takes the form of the Data Protection Act. As such, the EU General Data Protection Regulation will spell the end for what the EU calls an “inconsistent patchwork of national laws,” introducing a single regulation that applies equally to everybody.
That’s not all, though – the Commission also wants non-EU businesses to play by the same rules. Unlike the current directive, the EU General Data Protection Regulation will apply to organizations outside of Europe that process personal data pertaining to EU residents.
Fines of up to €100,000,000 or 5% of Annual Turnover
If there’s anything that should serve as an impetus for businesses to prioritize compliance with the EU General Data Protection Regulation, it’s that the EU plans a staggering increase to the financial penalties it can demand for data protection failures. Back in January 2014, Ms. Reding decried a €150,000 ($187,000) fine levelled against Google in France as “pocket money,” pointing out that it represented just 0.0003 per cent of the search giant’s turnover. The EU General Data Protection Regulation will boost the maximum penalty to €100,000,000, capped at five per cent of the company’s annual global revenue – a much more significant sum.
A need to notify individuals whose information is compromised
Finally, the EU General Data Protection Regulation will introduce new compulsory notification requirements for organizations that are implicated in data breaches. Evidence from the United States has shown that consumer notification has resulted in adverse publicity, and subsequent, brand, profit and share value erosion. Organizations will no longer have the freedom to keep quiet about data protection failures, nor even the opportunity to carry out forensic investigations before alerting the public.
Compulsory notification is nothing new. Most US states, for example, have rolled out data protection laws requiring that organizations inform customers of incidents in which their personal information is compromised. On both sides of the Atlantic, there’s strong sentiment that businesses should be made more accountable for errors in information security – paying for their failures in the form of fines, but also in corresponding shifts in consumer trust.
Will your business’ cyber defences stand up to scrutiny following the adoption of the EU General Data Protection Regulation? Your organization should already be focusing on protecting confidential personal information to reduce the risk of a data breach, but this regulation should focus minds even further.