The European Parliament has recently voted to approve the long-awaited General Data Protection Regulation (GDPR). The bill was drafted in 2012 and passed with the EU’s Committee on Civil Liberties, Justice and Home Affairs with a 54-3 vote (with one abstention) in April 2016.
The GDPR replaces 28 European national laws with one central EU law. Parliament is lauding this as a positive change for companies, noting the change improves trust between citizens and businesses and simplifies the regulation process.
The data protection legislation signals a major shift for privacy laws in the EU and has significant and important implications for businesses, third parties, and citizens.
The law is extremely broad and covers a lot of ground around data protection and privacy, including:
The General Data Protection Regulation laws have created obligations to protect personal data on two types of companies: controllers and processors. The GDPR Directive defines a controller as “the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data.” In other words, a controller is a first-party company. A processor is defined as “the person or entity that processes personal data on behalf of the controller,” which makes this entity a third party.
The new laws denote that controllers should work with processors that are able to implement appropriate security measures to protect personal data. It also holds that controllers are to be held liable for their processors’ actions if they do not adhere to the appropriate security standards and a loss of personal data takes place.
When there's so much personal data at risk, the new law also states that there should be systematic monitoring systems in place—both in-house and also on third-party processors; however, the law does little to fully define what these monitoring systems should look like.
This law is being lauded as a game changer, and preparation for these changes is high priority for nearly every business in the EU.
In a recent Wall Street Journal article, the global privacy officer for Intel, David Hoffman, said the company is concerned about the potentially high fines, noting that “such high sanctions dis-incentivize business and investment.”
What needs to be done to prepare for these laws is specific to each company and depends on the industry, business relationships, and a number of additional factors. Even so, there are several best practices every EU organization should look into:
Controllers will need to begin revisiting each contractual agreement with their processors to ensure that they are clear in their security expectations to the sufficiency called for in the GDPR. This is a whole-of-company problem, so be sure to involve individuals from your legal and IT security teams to renegotiate your processor contracts. This article further details the data processors’ new obligations—so be sure to give it a read.
Even if your contracts are airtight, you won’t want to sit around and hope your suppliers are taking their security obligations as seriously as you—because if they don’t, you could be liable! So be sure to take a look at continuous monitoring software, so you can ensure your processors are in good standing and be constantly updated with their cybersecurity posture.
While companies do have a two-year period once the law is published to prepare for compliance, the sanctions that will begin in 2018 will be steep. Begin researching the data protection legislation immediately and implementing the changes necessary at once to avoid potential fines.
