10 things you need to know about the new EU data protection regulation
As with any regulation, the current draft could change. However, only minor changes were made between the last two drafts, despite lobbying attempts, and the latest version is possibly as close to final as we'll see. Below are 10 of the most important elements European organisations should take away from the current draft, to help them prepare for 2017.
This is a regulation, not a directive
The terms regulation and directive are often used interchangeably, but they are very different. A directive is implemented and enforced by individual countries but regulations become law without change when they are passed. The current EU data protection directive resembles a patchwork of slightly different laws across Europe but the new regulation will be implemented in all 28 countries.
Data processors will be held responsible for data protection
Under the directive, any data "by which an individual can be identified" was the sole responsibility of the data controller, ie the owner of this data. Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties such as cloud providers. Put simply, anyone who touches or has access to your data, wherever they are based, is responsible in the case of a data breach. The ramifications of this are pretty broad. Third parties will need to be extra vigilant when it comes to securing the data of others, and data owners will want to thoroughly vet their partners.
With the new regulations in mind, organisations should think about reviewing their third party contracts now. In the case of cloud providers seriously consider having, as part of your contract, the ability to carefully review their procedures and even facilities to make sure they are up to scratch. Many cloud service providers, especially those based outside the EU, may not believe that the regulations apply to them, it is clear that they will.
The regulation has global ramifications
Don't let the terms 'EU' or 'Europe' fool you, the new regulation affects every global organisation that may have data on EU citizens and residents. Reputational damage is also a key element of a data breach and the new regulation is likely to harmonise 'naming and shaming' policies across each country. For instance, in the UK, the Information Commissioner's Office issues press releases when organisations are sanctioned at the moment, whereas some other countries are currently fairly "light touch.
Users will be able make compensation claims
The regulation will allow users to claim damages in the instance of data loss as a result of unlawful processing, including collective redress, the equivalent of a US-style class action lawsuit. Senior management will need a good understanding of what kind of impact this would have on their business. Not only can legal damages be incredibly costly from a financial perspective, they also represent further reputational damage as cases can carry on for years and keep the story in the public eye throughout this time. Sony, for instance, is currently facing seven class action lawsuits following last year's hack. The public will be reminded of Sony's security failings again and again.
There are tighter rules on transferring data on EU citizens outside the EU
Even if sharing is allowed (however legitimate the data controller thinks this is), the directive currently prohibits personal data from being transferred outside the European Economic Area (EEA) unless the controller assures an adequate level of privacy protection (the adequacy requirement).
When negotiating with a cloud provider, pose the question of whether they are allowed to move data between countries as part of the contract, whether they have to inform you of such a move or can only do so at your request. Get visibility into the CSP's HQ and data storage facilities (don't assume it is the same) and also any countries where they employ people who manage the service. Furthermore, whereas the directive allows a data controller to decide if a third-party provider is safe, under the regulation, only the commission can do so.
Harmonised user request rights
Under the directive, users already have the right to see the data collected about them. However, each country currently defines how data controllers should respond (the UK allows 40 days) and in the new regulation the deadline will be harmonised, probably to 20 days.
New erasure rights
In the new regulation, users can also demand that their data be erased. This may sound straightforward but it's not always that simple. If a person said they wanted to be removed from one of your databases, how would you go about doing so Would you have to remove data from multiple systems Are syncing protocols in place that would make doing so difficult Do you have processes now for this and how would you remove contact information from individual databases or spreadsheets These are questions that need answering now, not after the regulation comes into play.
It is your responsibility to inform users of their rights
Under the new regulations, controllers must inform and remind users of their rights, as well as documenting the fact that they have reminded them of their rights. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems. This is more stringent than the current directive and companies that fall foul of these measures will face larger fines.
Tougher sanctions and streamlined incident reporting
This is the big one. In case there was any doubt about how serious the regulators are taking the data breach issue, sanctions have been made much, much tougher. Fines may be as high as 100m or 5 percent of global revenue (whichever is higher), in stark contrast to what we currently have in the UK, which is a maximum fine of £500,000.
Currently, different countries have different rules on data loss reporting for both the regulator and users. The regulation is intended to streamline the process, most likely so that regulators must be informed in 72 hours - unless, as per the 'reasonable expectations' requirement (explained shortly), data was encrypted or tokenised.
Arguably, something is missing from this new rule, namely how much time organisations have to inform users. TalkTalk, for instance, recently suffered a data breach and informed regulators within the required 72hrs (the UK rule). However, users were not informed until several months later, in which time hackers had used stolen contact information to phone/email TalkTalk customers, pretending to be from the company in an attempt to steal money. TalkTalk should have moved faster to inform its customers of the data breach.
Encryption and tokenisation can come to your rescue
It's not all bad news, there's a piece in the regulation saying that controllers must meet individuals' "reasonable expectations" of data privacy. This is an interesting term as the regulations stipulate that tokenised, encrypted or pseudo-anonomised data does indeed meet these expectations. This is great news, as it allows organisations to encrypt or tokenise data before uploading to the cloud. Assuming that companies keep the encryption keys on their own premise, firstly data loss is much less likely and, if it does happen, they can show the regulators that they took steps to "meet the individuals reasonable expectations of data privacy".
Conclusion
This period, when the regulation is drafted but not yet in effect, is the ideal time for IT, security, and compliance teams to review the new requirements, seek legal guidance and put into place processes that will enable compliance. There are many other changes aside from these ten and a new eBook written jointly with Anthony Lee, a well-known data protection lawyer and partner at DMH Stallard, provides additional details on the most important areas, especially where it affects the usage of cloud services and data stored in the cloud.
Nigel Hawthorn is EMEA director of strategy at Skyhigh Networks.