The Parliament of the European Union has approved the General Data Protection Regulation (GDPR). That paves the way for the UK and other EU countries to update their data protection law in line with the EU regulations in the next couple of years.
The EU Parliament and Council reached a provisional agreement on the data protection package, consisting of a regulation governing data transfers in general and a directive on transfers for criminal law enforcement purposes, in December 2015.
Comments
Ross Brewer, vice president and managing director of EMEA at LogRhythm, says: “While we’re still two years away from these laws coming into play, it is a huge step forward in the fight against cyber criminals. I’m sure many positives will come from these updated regulations, such as companies having to appoint a data protection officer if they are processing sensitive data at scale, as well as liability for data breaches extending to any data processors used by a data controller – both of which are logical changes in strategy if companies are truly serious about their cyber security.
“However, I’m sure the items that are really causing companies to sit up and take note is the threat of hefty fines and the small breach disclosure window. To comply with this, organisations will need to take urgent steps to ensure that they fully understand and have clear visibility into all network activity at all times. Without such pervasive insight, it can be near impossible to detect, analyse and report a breach in just 72 hours. This new regulation is being called the biggest shake up to EU data laws in the past 20 years – and they’re probably right. If organisations continue to plead ignorance when it comes to IT security, they will sadly suffer the consequences, which are getting more and more severe.”
David Mount, director, security solutions consulting EMEA, Micro Focus, says: “The GDPR is going to have a huge impact on any businesses operating in the European Union, and how they store and process data. Throughout the drafting and ratification of the legislation, some elements of the regulation have been more controversial than others and it is interesting to see which measures have made it into the final text. Perhaps one of the more controversial elements is mandatory data breach reporting, since under the GDPR companies will be required to notify national data protection authorities and affected individuals within 72 hours of awareness of a data breach unless it is likely to put the rights and freedoms of the individuals at risk. This will be a technical challenge for those businesses unaccustomed to such stringent measures: they will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers.
“While this may seem like a positive step towards improved data protection, the US example shows that in reality there can be an unintended consequence of ‘data breach fatigue’. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored. The effect is that sometimes consumers can’t see the wood for the trees, and may start to ignore all warnings – which somewhat negates the point of the measure. It remains to be seen whether or not this measure will have the desired effect in Europe.
“With two years to comply, businesses need to take action now by ensuring they fully understand the measures contained in the GDPR and what they mean for their business and its data use. Understand what data you hold, how you are using it, and make sure that you are practising good data hygiene by limiting access to data to only those who need it, and ensuring that authentication protocols are up-to-scratch for those users. Businesses should also consider deleting data that is no longer required so that it does not become an unnecessary risk.”
Eduard Meelhuysen, VP EMEA at Netskope, says: “The European Union General Data Protection Regulation (GDPR) will have far-reaching consequences for both cloud-consuming organisations and cloud vendors. And with the ratification of this piece of legislation, security teams will have to begin the process to comply in earnest.
“With a maximum fine of 20 million euro or 4pc of global turnover (whichever is higher) in cases where the data subject’s rights have been infringed – such as where data has been processed without a legal basis, or international data transfers have been performed – there is now more incentive than ever for companies to get their houses in order around data protection and privacy.
“With the complications presented by the cloud and shadow IT, personal data will be even harder to track and control. The security teams of data controllers will have to carefully create and document processes, policies, and products to ensure data subject rights and data security of processors.”
And Kate Lewis, Head of Data Strategy and Projects at identity data intelligence firm GBG, argues that an individual should be clearly informed about how their data is used: “The new legislation will bring much needed clarity to the data market. Individuals need to be clearly informed how their data will be used, especially in today’s threat landscape, with the choice to easily amend these preferences at any time. All too often, people forget the benefits of sharing data with organisations that use this data for identity management purposes, for example. As an individual, surely you’d be happy for your ID to be protected from fraud, or to be contacted regarding an asset you’d forgotten about or had been gifted in a will? Protecting that identity needs to be a priority but so too does providing value from the data exchange. My advice to businesses, then, is don’t delay implementation for the new regulations; companies should be reviewing their fair processing notice, as soon as possible.”
Nigel Hawthorn, Skyhigh Networks’ chief European spokesperson, argues that the announcement is good news for EU citizens as companies must now treat data with respect. “Some organisations have in the past treated personal data as a cheap commodity but this regulation clearly shows how valuable data really is. Firms must now pull their heads out of the sand and adopt stronger measures to ensure data is treated with respect.
“Perhaps EU Parliament members are Star Wars fans, as companies have until May 4th 2018 to ensure compliance – 750 working days – so they need to get a move on. The changes may cause headaches for the IT department, compliance teams and even CEOs. Business leaders should put a value on data about themselves and their family and embrace this legislation because the outcome is that all of our data will be safer.”
