By Cindy Ng, technical analyst, Varonis
European regulators are serious about data protection reform. They’re inches away from finalising the General Data Protection Regulation (GDPR), which is a rewrite of the existing rules of the road for data protection and privacy spelled out in their legacy Data Protection Directive (DPD). A new EU data world is coming.
We’ve been writing about the GDPR’s long, epic journey over the last two years. But with the EU Council—kind of the EU’s executive branch—approving its own version, the stage is set for a final round of discussions with the EU Parliament to split the differences. The GDPR will likely be approved by the end of 2015 (or early 2016) and go into effect in 2017. Organisations, including U.S. multinationals that handle EU personal information, will soon be required to comply with tougher rules to prove they’re actively protect personal data.
Based on the latest proposal from the Council, we now have a good idea of what the final GDPR will look like. So your homework assignment is to start thinking about these five items below.
Start Implementing Privacy by Design Principles
Developed by former Ontario Information and Privacy Commissioner Ann Cavoukian, Privacy by Design (PbD) has had a large influence on security experts, policy makers, and regulators. Cavoukian believes big data and privacy can live together. At the core, her message is that you can take a few basic steps to achieve the PbD vision: minimise data collected (especially PII) from consumers, not retain personal data beyond its original purpose, and give consumers access and ownership of their data.
The EU likes PbD as well. It’s referenced heavily in Article 23, and in many other places in the new regulation. It’s not too much of a stretch to say that if you implement PbD, you’ve mastered the GDPR.
Need to get up to speed quickly? Use this cheat sheet to understand PbD principles and guide you through key data security decisions.
Right to be Forgotten
The controversial “right to be forgotten” will soon be the law of the EU land. For most companies, this is really a right of consumers to erase their data. Discussed in Article 17 of the proposed GDPR, it states that “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”.
I think that clearly spells out the right to erasure.
What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing? The long arm of the EU regulations still apply: as data processors, the cloud service will also have to erase the personal data when asked to by the controller.
Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people!
U.S. Multinationals Need to Safeguard Data
It’s worth reiterating Andy’s previous blog post where he urges large U.S. multinationals that collect data from EU citizens to implement data security policies as if those servers were in the EU.
Known as “extraterritorially”, this principle is addressed in the beginning of the proposed GDPR. For legally-minded types, here’s the actual language in all its bureaucratic beauty:
Cross-border flows of personal data…are necessary for the expansion of international trade and international cooperation….when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of individuals guaranteed in the Union by this Regulation should not be undermined.
There are some issues and complexities about how this will enforced. But with the U.S. saying its data storage laws apply to data held in Irish servers, it seems only natural that the EU can make a similar type of claim about its citizens’ data held in the U.S.!
How Much Will You Be Fined?
For serious violations (such as processing sensitive data without an individual’s consent or on any other legal grounds) regulators can impose penalties. There are differences between the EU Council’s version and the Parliament’s. The EU Council allows fines up to €1 million or 2% of the global annual turnover—i.e., revenue–of a company. The Parliament fines are far steeper at up to €100 or 5% of global turnovers. These two bodies will have to work this out in the coming months.
The important point, regardless of the final rule, is that the GDPR penalties will amount to serious money for US multi-nationals.
Consider Hiring a Data Protection Officer
Important projects – yes the proposed EU GDPR is a huge project – need owners. In the proposed EU GDPR, the Data Protection Officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches – within 72 hours, and even creating a good data security policy.
Will you need to designate a DPO in your company? At this point, there are differences again in the proposals from the EU Council versus the one from the Parliament. The Council would like to make this a discretionary position, allowing each member state to decide whether it should be a mandatory requirement or not.
Our view: informally give someone in your company the powers of a DPO. It just makes good sense to have a manager or high-level executive as a focal point for EU rules.