Analysis The General Data Protection Regulation (GDPR) has been ratified by the European Parliament.
The final seal of approval follows successful passage through the EU Parliament's Committee on Civil Liberties, Justice and Home Affairs. Following four years of discussions and amendments, the GDPR is now officially EU law and will directly apply in all EU countries, replacing ageing EU and national data protection legislation.
Companies have two years until a deadline of 4 May 2018 to adopt the measures in order to ensure compliance. The regulations will apply to companies outside the EU in cases where they do business within the Union.
The passage of the regulations marks the biggest ever shake-up of EU data protection laws, according to lawyers Hogan Lovells. The new rules – replacing pan European regulation put into place way back in 1995 – will have a significant international impact on the way we do business.
Influenced by technological advances and the Snowden revelations, the GDPR introduces new accountability obligations, stronger rights and ongoing restrictions on international data flows.
European head of privacy and cybersecurity at Hogan Lovells, Eduardo Ustaran, said: "It has taken several years but we have finally made it to the start line. The modernisation of European privacy laws has reached a critical milestone with the formal adoption of the Regulation.
"Businesses operating in Europe or targeting European customers need to get their act together and start preparing for the new regime. At stake are not only the consequences of non-compliance, but also the ability to take advantage of new technologies, data analytics and the immense value of personal information," he added.
Breach disclosure rules and tough fines
Notable changes in data protection rules include tougher penalties for companies in breach of EU data protection law, with fines of up to four per cent of global turnover and a requirement for companies to disclose personal data breaches within 72 hours. This mandatory data breach reporting is likely to prove the most controversial area of the new regulations.
Ross Brewer, vice president and managing director of EMEA at security tools firm LogRhythm, said the new rules would push enterprises to become more serious about compliance:
"While we're still two years away from these laws coming into play, it is a huge step forward in the fight against cyber criminals. I'm sure many positives will come from these updated regulations, such as companies having to appoint a data protection officer if they are processing sensitive data at scale, as well as liability for data breaches extending to any data processors used by a data controller – both of which are logical changes in strategy if companies are truly serious about their cyber security."
William Long, a partner at business law firm Sidley Austin, said that the new rules would apply to firms outside the EU that offer goods or services to Europeans.
"This is the end of a long road of establishing a new European Data Protection regime aimed at creating a single law on data privacy across the European Union, which will have a fundamental impact on businesses for a generation," Long commented.
"Companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance."
Long added that national rules on the handling of health data, for example, will need to be squared with the GDPR.
"There are still a number of issues where some member states have fought successfully to implement their own national law requirements, for instance in the area of health data, and this will no doubt lead to certain complexities and inconsistencies," Long explained.
"However, organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the Regulations. The penalties for non-compliance are significant – at up to 4% of annual worldwide turnover or 20 million euros, whichever is the greater."
Mark Thompson, privacy lead in KPMG's cyber security practice, added that the GDPR recognises different levels of privacy risk associated with small- and medium-sized enterprises (SMEs) and large global organisations.
"The approach of the GDPR provides a risk-based application of a 'one-size-fits-all' set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations," Thompson explained. "Privacy will be catapulted up the list of global organisations' enterprise risks, requiring them to re-evaluate to take action.
"For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain 'global' services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market."
David Mount, director, security solutions consulting EMEA at enterprise software firm Micro Focus, said that meeting tougher breach notification rules will pose a challenge technically, as well as organisationally.
"The GDPR is going to have a huge impact on any businesses operating in the European Union, and how they store and process data," Mount said. "Throughout the drafting and ratification of the legislation, some elements of the regulation have been more controversial than others and it is interesting to see which measures have made it into the final text.
"Perhaps one of the more controversial elements is mandatory data breach reporting, since under the GDPR, companies will be required to notify national data protection authorities and affected individuals within 72 hours of awareness of a data breach unless it is likely to put the rights and freedoms of the individuals at risk. This will be a technical challenge for those businesses unaccustomed to such stringent measures: they will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers," he added.
Greater transparency about data breach disclosure may seem like a good thing, but the US example shows that there can be an unintended consequence of "data breach fatigue."
"Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored," Mount cautioned. "The effect is that sometimes consumers can't see the wood for the trees, and may start to ignore all warnings – which somewhat negates the point of the measure."
Although businesses have two years to comply with the rules, they ought to begin taking preparatory actions now, according to Micro Focus.
"Understand what data you hold, how you are using it, and make sure that you are practising good data hygiene by limiting access to data to only those who need it, and ensuring that authentication protocols are up-to-scratch for those users," Mount advised.
"Businesses should also consider deleting data that is no longer required so that it does not become an unnecessary risk." ®