Two new pieces of European legislation/regulation were agreed in December 2015.
I read a recent article in the FT, Network and Information Security Directive (NISD), also known as the Cyber Security Directive, was agreed on the 8th December, followed a week later by the General Data Protection Regulation (GDPR), agreed on the 15th December.
Both pieces have been in preparation for several years, with the last few months taken up by the so-called “trilogue” where the European Commission, Parliament and Council work to agree a mutually acceptable text. With the texts agreed in December, both now go ahead to the final law-making stage.
GDPR is a regulation and applies to all 28 European states and is designed to harmonise the various data protection laws already in place.
NISD being a directive will have to be passed into local law, adding a further stage to the process. Both GDPR and NISD are expected to come into force in early 2016 but there will be a two year period during which organisations will be allowed to prepare for the new laws.
First, I consider the GDPR, and its main implications for business. My next blog will focus on the implications for NISD.
GDPR represents a profound reform of data protection law in Europe, shifting the balance of power towards the citizen to whom the personal data belongs, away from organisations that collect, analyse and use such data. Building on the long standing 1995 Data Protection directive, it established one set of data protection law across all 28 European states (although it should be noted that some states already have data protection laws that are more onerous, in some areas, than GDPR, making for rapid adoption in these countries).
Key changes that are going to be introduced by the new law are:
- The maximum penalties for mishandling data are 4% of global revenue or 20m Euro, whichever is greater. For many organisations in the UK, this represents a huge increase in the Information Commissioners Office (ICO) current maximum penalty of £500k.
- Responsibility for protecting personal information under GDPR will extend to data processing as well as data controllers. Some IT services companies that are currently sheltered by the fact that the client often is responsible for the data will find this an unwelcome change.
- Significant data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach.
- The definition of what constitutes personal data will expand significantly under GDPR, with personal data now extending to location, IP address, RFID identifiers, as well as whole new swathes of medical data, including genetic information.
- The “right to be forgotten” will be enshrined in law, allowing people to request of search engines to delete links to the data in question.
- GDPR will apply to companies headquartered outside of Europe as long as they have operations in Europe or offer services to people in the EU.
- Gaining consent to use personal data will become more rigorous.
- There are new requirements to carry out Privacy Impact Assessments (PIAs), essentially reviews to ensure that personal data is sufficiently protected and privacy of the individual maintained.
- There will be new requirements for Privacy by Design, so that protections for personal data and privacy are baked into all business operations and processes right at the beginning.
Once the final agreed text is published, we will know the impact more fully. The key question in the meantime is do you understand the potential impact of the key changes to GDPR on your business? For more information on what this means for your business, please leave a comment with your thoughts, or get in touch directly.