At some point in 2015 or, if bureaucracy permits, even this year, Europe will have a new framework for information privacy.
It would be wrong, though, to dismiss the forthcoming General Data Protection Regulation as another example of Brussels arcana. The new rules will force an update to data protection laws across the EU and require some far-reaching changes to how European companies do business.
The new regime is no mere tweak to existing rules. It has support at the highest levels in the European law-making system and replaces a set of less binding rules which first came into play in 1995. That, of course, was a world before broadband, tablet computers, smartphones and big data.
The EU is playing catch up with rapidly changing technology. But it is also bringing its data protection framework in line with laws in other parts of the world, as well as with the way we use personal information today.
Some of the new clauses are mundane. Others may cause board members to break out in a cold sweat.
Chief among these is the new penalty regime. Guy Bunker, a security expert and vice president at Clearswift, a technology vendor, describes the new penalties as “killer sized”. Others have described them as company busting.
The EU will gain the power to fine companies up to 5 per cent of their annual, worldwide turnover or up to €100 million, whichever is greater. This puts almost all previous data protection laws in the shade.
Even if, as lawmakers suggest, it will only be used for the most flagrant and repeated breaches, it is a very serious sanction indeed, and an increase on the 2 per cent penalty in early drafts of the regulation, although that was uncapped.
“Nor is it the case that fines will only be levied for the most serious contraventions,” warns Vinod Bange, partner at law firm Taylor Wessing. “You could be fined for not having a privacy impact assessment or not having the proper systems of controls around subject access requests.” The EU law is a move away from the British, outcomes-based regulation to the more prescriptive, Continental approach, he adds.
Firms that suffer a data breach will, under the new rules, also have a legal duty to disclose the loss. Breach disclosure is not a new concept; it is now widespread across the United States, following legislation pioneered in California.
These rules will inevitably impose new burdens on companies, especially those that have lagged behind in their data protection measures
Some businesses, principally, telecommunications providers and internet service providers, already have to disclose breaches within 24 hours.
A similar measure to force companies to tell their customers or “data subjects” about a breach is proposed under the new regulation, although it is possible this disclosure deadline may be extended to 72 hours.
Either way, it will be a significant new burden on businesses’ IT departments, not least because the latest generation of hacking tools is designed to go undetected. Equally, it is hard for large businesses with complex networks to know exactly where all data is, leading to what some experts worry could be over-reporting of data losses.
Firms handling personal data will also need to carry out data privacy impact assessments. The idea is to encourage another principle of the new law, privacy by design. Companies need to build privacy into their processes and, if there could be a specific risk around personal data, carry out a risk assessment.
In addition, under the legal “right to be forgotten”, EU citizens can demand companies erase information held on them or even retrieve their data to send to another provider. Companies processing even relatively small numbers of records – 5,000 data subjects in a year – will need to appoint a data protection officer.
These rules will inevitably impose new burdens on companies, especially those that have lagged behind in their data protection measures.
At the same time, the regulation should create a level playing field across Europe. Businesses will, for example, be able to nominate their main country of business as the one where their data protection measures will be regulated.
And, as businesses depend more and more on data for their operations, there is a case for good practice around data management and security. “Across Europe, they are trying to create a baseline [in data privacy] where everyone adheres to a minimum level,” says Mark Brown, director of risk and information security at EY, the professional services firm.
Mr Brown suggests that firms should act now, and carry out a gap analysis to establish their level of compliance and how that might need to change. This should include looking at which data is gathered and why, where it is held, and for how long.
With the right to be forgotten, data destruction is almost as important as data protection. These steps could also identify areas where firms may still be legal, but might benefit from improving data protection measures, for example by improving the protection of their own intellectual property or bolstering customer trust. This is the view held by many in the data security industry.
“The driver is common sense,” says Dietrich Benjes, director for the UK and Middle East at technology vendor Varonis. “It is ensuring personal information doesn’t leak or isn’t misused. You have to identify that information, who holds it and the security controls around it. Treat data like a business asset.”
Andy Heather, vice president for Europe, the Middle East and Africa at Voltage Security, concedes: “When anyone says the word regulation, the first thing that springs to mind is increased cost.
“On the other hand, the attention being paid to information security, because of the high fines, makes it easier to get funds allocated to solving problems. It is not negative. It is going to have a positive impact.”
And, although businesses might not welcome additional or financial burdens, the EU moves are a response to a more dangerous cyber world.
“The original driver [for the law] was, hand on heart, to protect individuals from being exploited and abused by the next generation of crime,” concludes Clearswift’s Mr Bunker. “It is a response to a need to protect citizens.”
TAKING CARE OF DATA – AND BUSINESS
For businesses across Europe, proposed EU data protection regulations pose both technical and practical challenges.
Teleplan, a Dutch company with operations in the UK, provides repair and warranty services to computer and consumer electronic brands. Should your PC or tablet fail, there’s a good chance it will be Teleplan that will arrange a repair at its factory near Amsterdam’s Schiphol airport or send out a replacement device.
But this means the company has to take special care of customer data. Not only might there be personal information on the smartphones or tablets it repairs, but it also has to collect delivery and warranty information from customers. This data might seem mundane, but it still has to be protected.
According to Teleplan’s vice president of client solutions Sven Boddington, protecting data on devices means strict controls and a “chain of custody” around who handles a smartphone, tablet or PC.
For customer data, it means collecting the minimum amount of information Teleplan needs to do its job. It needs serial numbers and possibly a shipping address, but it would not, for example, ask for a customer’s date of birth as a matter of routine. Making sure the company collects only the information it needs is as important as protecting the information it holds, says Mr Boddington.
But the new laws also present an opportunity to do more with data. One change, during the drafting of the data protection regulation, has been to make it easier for companies to use “anonymised” data, stripped of personal information.
This, Mr Boddington says, could allow Teleplan to provide technical feedback to the electronics companies, based on the types of repairs they carry out which, in turn, could help them develop better products.