Getting new data protection legislation passed in Europe has been a slow and painful process—especially with radical change afoot. When the European Commission proposed a comprehensive reform of EU data protection laws in January 2012, it marked the beginning of a lengthy period of negotiations between the European Union’s 28 member states in an effort to work out the details. But four years later, the process is almost complete.
In January, the European Parliament informally agreed to a new law, the European Union General Data Protection Regulation (GDPR). It was expected to be ratified later in the month and will go into effect in 2018, bringing along profound changes for European organizations and for non-European businesses serving that market. They include the right for someone to be forgotten on the internet and introduce much tougher consent laws for organizations wishing to process personal data.
Even if businesses don’t relish the prospect of stricter requirements, there are still things to like about the incoming regime. For one thing, Europe will have a unified set of rules governing the use of data that applies in exactly the same way in each of its member countries.
At present, national governments put their own spin on how the current rules apply. But the new law creates a “one-stop-shop” approach within individual countries. In practice, that means an organization can go to the regulator in the European country where it wants to operate and get advice that applies for the whole of Europe. Previously, large businesses would have to negotiate with multiple regulators in every country they were trading in, all with different interpretations and approaches to the law.
But fines for violating the rules could be substantial. At present, fines tend to be smaller than those imposed in the United States. The U.K.’s Information Commissioners Office, for example, has issued more than £5.5 million in fines since 2010, with the highest about £320,000 for the loss of personal data at Brighton and Sussex University Hospitals NHS Trust. It is an open secret that the magnitude of fines for data breaches in the United Kingdom and Europe are treated by many businesses as a minor inconvenience, rather than something that has any material impact on the way they operate. In the future, maximum fines for breach of the GDPR will be the higher of 2% of an enterprise’s annual revenue or €1 million. According to a survey by market analyst Ovum, 52% of organizations believe the new regulations will result in fines for their company.
“In a worst-case scenario, that could represent €3.2 billion for Deutsche Telekom,” said Claus-Dieter Ulmer, the head of the German company’s privacy department and its chief data protection officer. But he warns businesses not to put the cart before the horse when it comes to thinking about the risk of potential violations.
“It might be a good idea to come at these problems from the perspective of the criticality of data rather than the possible financial effects of getting it wrong,” he said. “You may not be able to measure those at this stage, but you can work out what and where your most important data is.”
Deutsche Telekom says companies need to carry out a gap analysis because, although the rules will not take effect until 2018, processes such as privacy by design, incident reporting and the ability to carry out a privacy impact assessment all have to be in place on day one. The rules also specify that every affected company—typically those that hold data on 5,000 or more European citizens—need to appoint a dedicated data protection officer. That will inevitably impact the organization’s governance structure, at least as it pertains to its IT systems, if not more broadly. Those changes can take a long time to put in place for larger businesses.
At press time, tech consultancy IT Governance was conducting a survey among businesses to determine their readiness for the GDPR. The provisional results were mixed. Many had already implemented industry security standard ISO27001, making them broadly compliant with current standards. But there is also nervousness about the new rules among those who had already started looking at what they might mean—about eight in 10 of the businesses surveyed.
“In other words, the people who are aware, who are paying attention, are concerned about how they will comply with the requirements,” said IT Governance CEO Alan Calder. “I think that’s because the requirements are emerging and changing, and the enforcement mechanisms are not absolutely clear.”
Businesses want to know how the fines are likely to be calculated if they do break the rules, but they are unlikely to get those details until the regime goes live. Calder said companies that have been prepared to take a fine on the chin under the old system will likely not want to take that approach now. “It’s going to be a game-changer in that respect,” he said.
Calder predicts that data privacy will move up the corporate agenda for any business operating in Europe, including U.S.-based companies. In fact, he believes U.S. businesses will find the new regime similar to the approach taken to data privacy rules in some states—they do not rely on broad principles (the approach in Europe today), but set down requirements that need to be followed.
He urged U.S. businesses to start with their privacy impact assessments as soon as possible. Those with physical offices in Europe will need to think about how to recruit and train a dedicated data protection officer if they hit the 5,000 data-subject mark. Those that trade in Europe from within the United States will need to conduct privacy impact assessments around how they collect customer data, review how they currently store that data, and work out what they are going to do if there is a breach.
The GDPR is likely to have significant impact on U.S. businesses—63% of respondents in the Ovum survey thought that the regulations would make it harder for U.S. businesses to compete. This is thanks, in large part, to Maximillian Schrems, an Austrian Facebook user based in Ireland. He complained back in 2013 that the data transferred by Facebook from Ireland to the business’ U.S. servers was not safe following revelations by the former National Security Agency contractor Edward Snowden that the U.S. government had access to it. The matter bounced around the courts until, in October 2015, Europe’s supreme court—the Court of Justice—agreed that so-called Safe Harbor provisions, which enabled U.S. businesses to comply with European data privacy laws, were invalid. The Court effectively said that, because U.S. public authorities could access the private information of EU citizens, any rules relating to the transfer of their data to the United States should be controlled by the national governments of Europe. As of 2018, that control will be through GDPR.
“When the regulation was being talked about until more recently, there was this view that there was Safe Harbor in place, so from the U.S. perspective perhaps some of the implications of the regulation wouldn’t be quite as fierce as they might have been,” said Steve Durbin, managing director of the independent industry trade body Information Security Forum. “Safe Harbor provided a means under which U.S. businesses could transfer data and they thought that everything would be rosy. Now that that has been swept away without any replacement for it, GDPR takes on a little bit more importance from a U.S. perspective.”
Durbin confessed that he “quite likes the regulation.” Despite the threat of large fines, for the first time it gives businesses operating within Europe clarity over what is expected from them. Further, he says it will significantly reduce the regulatory compliance risk of trading in multiple European jurisdictions because the rules will be the same throughout the whole region.
He has already seen companies start to examine whether they need to hold the amount and types of data they had been storing. “The advice they were given from a privacy and security perspective was, if you don’t need the data, don’t handle it. Don’t store it. Get rid of it,” he said. He believes a bigger headache will come from trying to work out how information given to third parties has been handled and stored—something that organizations will need to know under the new rules.
Paring down data could help, but the breach notification mechanism might prove difficult for some businesses. Under the GDPR, organizations will have 72 hours to notify both the regulators and individuals if important data has been leaked.
“That’s fairly quick,” said Christian Hamann, counsel and data privacy expert at the German law firm Gleiss Lutz. “If something happens on a Friday afternoon, it doesn’t give you much time.” In Germany, which is generally considered to have robust data privacy laws, he pointed out that companies only need to notify people when certain types of sensitive data has leaked, such as health care information, and then only if the loss could cause harm or loss to the data subject.
“These limitations will not apply under the regulation anymore, so you’ll have to notify each case,” he said. “That’s pretty much any data, and you have only a very limited time to decide whether or not you have to notify.”
Hamann is not a fan of GDPR. Having spent a lot of his career helping businesses comply with complex environmental protection rules, he sees too many negative parallels. He believes the rules will greatly increase bureaucracy because every new process will need to be compliant with the rules—the concept of privacy by design—and the process will have to be documented. Because of the costs involved, he fears businesses are likely to go through the motions without deriving much benefit.
“Personally, I’m convinced that it will not accomplish what the policymakers hope for,” he said. “It’s just a lot of paper-filling and box-ticking, followed by the search to find someone who is brave enough to sign off on it.”
Time will tell. But while the rules have been a long time in the making, organizations will need to act quickly if they are to be ready in time to comply. Even companies such as Deutsche Telekom, which has been working hard to put the right processes in place, have some way to go. When asked whether he thinks the company will be ready, Ulmer nodded. “Should be fine,” he said. He nodded again. “Yes, should be fine.”