The General Data Protection Regulation is now, effectively, law. Businesses have 730 days from official publication (expected to be in June) to comply. It would be a mistake to think that this is just a European issue: it will affect every business throughout the world that holds or uses European personal data.
“The European Commission welcomes the final adoption of the new EU data protection rules by the European Parliament, following the adoption by the Council last Friday,” announced the European Commission on April 14.
Jan Philipp Albrecht, the European Parliament’s draftsperson/rapporteur for the regulation, commented, “The new rules will give users back the right to decide on their own private data. Businesses that have accessed users’ data for a specific purpose would generally not be allowed to collect the data without the user being asked. Users will have to give clear consent for their data to be used. Crucially, firms contravening these rules will face fines of up to 4% of worldwide annual turnover, which could imply € billions for the major global online corporations.”
This doesn’t just affect the big Internet companies like Google, Facebook, Microsoft and others. For example, a company of any size with a server in America that uses an Internet website that accepts European data is automatically exporting European data. In reality, however, GDPR cannot be enforced against this technicality if the company has no physical presence in Europe.
Enforcement of the GDPR is through the size of fines that can be levied: up to 4% of global turnover. This approach ensures that big companies cannot treat data protection as an inconvenient but minor cost of doing business. Before GDPR, the largest fine available to European regulators was the Ł500,000 maximum from the UK’s Information Commissioner. In most countries it was much less – meaning that companies like Google and Facebook could pay any fines out of their petty cash.
But it also gives users greater and easier control over the use of their personal data: users must give unambiguous consent for the use of the data; it can only be used for the consented purposes; users can change their mind over that consent; and they can demand the removal of all personal data that has been collected.
Confusion over if and when a breach needs to be disclosed is also removed. Article 31 states, “In the case of a personal data breach… not later than 72 hours” for disclosure to the relevant regulator. Disclosure to the public for a breach that carries risk to the public must be made “without undue delay” (Article 32).
There is a let-out. Disclosure is not necessary where the breach is “unlikely to result in a risk” to the individuals – that is, if the lost data is satisfactorily encrypted.
One thing that remains, inevitably, unclear is precisely when a company is in breach of the law. Chris Pounder, a data privacy and protection expert with Amberhawk, explained the issue in an email to SecurityWeek.
“If the company is a data controller subject to the GDPR and is processing personal data then it is subject to the enforcement mechanism for any infringement,” Pounder said. “As data controller, a company has certain obligations and failure to carry out these obligations cannot be punished until they come to attention of the Data Protection Authorities (i.e. if nobody knows about the infringement, then it is not going to be reported to the Authority).”
In effect, if there is no breach, and no users complain about misuse of their data, then there is no problem. The worrying aspect of this is that the vogue concept of risk-based security could suggest that the cost of complying with the GDPR is still greater than the risk of non-compliance.
This would be a dangerous route. Consensus says that all companies will be breached at some point. “Fines will no doubt be scaled based on the willingness to admit to a problem,” Skyhigh Network’s Nigel Hawthorn told SecurityWeek, “as well as the amount of data lost and the systems in place to control and manage data security.”
The best possible method to mitigate the risk of the new European Data Protection law will be the ability to demonstrate a serious attempt at good security policy.