We’ve been promised it for the last year and finally at the end of the year Europe gets its arse in gear and has come up with a sort of decision on the General Data Protection Regulation (GDPR).
Finally after more than four years of talks and deliberation Europe has finally come to the cusp of an agreement on the GDPR. For those with long memories - and believe us you need to have long memories over this legislation – you’ll know that the current data protection rules date back to 1995 and the new regulation has been in the works since 2011 and things were working well with a decision on GDPR imminent in 2015, with an implementation sometime in 2016, but as usual the machinery in Europe has slowed the process and we’re now looking at the full agreement next year, with delivery in 2018. Which is good news as it gives businesses two to three years to implement the regulation, but it’s still a long way off and in reality it’s another going to be another two-three years of instability and indecision for businesses who want to plan for GDPR.
What was decided, yesterday, was the top-level agreements on the GDPR and a date for when we should all comply, but little else in terms of actual implementation guidelines. So we now know the date for when businesses need to comply, 2018, countries must adapt their national laws or pass new ones within two years from the new law’s official publication. Plus we know that consumers will have more control over how their data is used and retained and any organisations that don’t abide by the rules will face fines up to four percent of global sales. But the actual details of the agreement, like the fines or the nitty-gritty of how businesses should implement the regulation aren’t due until the New Year.
Commenting on the decision Mark Thompson, Privacy practice leader at KPMG, welcomed the significant overhaul of the European privacy and data protection laws but warned that there would be a lot of work to do by the time the regulation comes into play in 2018.
"Some of the finer points and their impact will become clearer when the final document is released in the New Year. While there will be different concerns by each sector, we understand that sanctions could run as high as 4% of a company’s annual global turnover and, some of the new requirements such as breach notification requirements, the right to data portability, the right to have your data erased are likely to cause significant challenges for organisations to implement the rules effectively.
Adding, “The adopted risk based approach provides a risk based application of a "one size fits all" set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Assuming that member states give the green light and the last few hurdles are passed, privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate their privacy risk postures and take action.
Dr Elizabeth Maxwell, EMEA Technical Director at Compuware agrees that the new rules pose a major challenge for organisations that collect and store personal data. “First and foremost is the need to be in control of where any personally identifiable information (PII) resides within their systems. This might sound pretty simple, but it’s far from it; organisations not only need to consider their own back-end databases and backups, they also need to consider any data being used by outsourcers, partners or cloud service providers they’re working with. In many cases, data could even be in use outside of the EU – in the systems of an outsourcer developing mainframe applications for the business, for example. This would instantly create a breach of the new EU regulations unless the proper controls were in place.”
Tony Pepper, CEO, Egress Technologies said that businesses need to start acting now. “Boards across Europe need to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their data so they’re prepared for when the regulation is enforced. We can see from previous breaches, that it is the small slip ups, caused by human error, that have been the most common and largely the most damning. These are the errors that, until now, some organisations have not necessarily had to confess to. The weakest link in the chain is your workforce and even with the best technology and will in the world, changing habits and getting user buy-in takes time - so you should start now. Matching security policy, with user training and education, alongside smart, user-intuitive technology is the only way forward." He said.
What do you think? How will the new regulation affect your organisation? Are you read for the changes or are you still undecided about what to do?