Overview of the General Data Protection Regulation (GDPR)
The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU – and regardless of where their data is processed.
The Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.
On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament’s Civil Liberties committee and the Permanent Representatives Committee (Coreper) of the Council then approved the agreements with very large majorities. The agreements were also welcomed by the European Council of 17-18 December as a major step forward in the implementation of the Digital Single Market Strategy.
On 8 April 2016 the Council adopted the Regulation and the Directive. And on 14 April 2016 the Regulation and the Directive were adopted by the European Parliament.
On 4 May 2016, the official texts of the Regulation and the Directive have been published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Agreement on Commission’s EU data protection reform
- How does the data protection reform strengthen citizens’ rights? (2016)
- How will the EU’s reform adapt data protection rules to new technological developments? (2016)
- What benefits for businesses in Europe? (2016)
- How will the data protection reform affect social networks? (2016)
- How will the EU’s data protection reform strenghten the internal market? (2016)
- How will the EU’s data protection reform make international cooperation easier? (2016)
- How will the EU’s data protection reform simplify the existing rules? (2016)
- The EU data protection reform and Big Data (2016)
Commission Proposals on the data protection reform: legislative texts
- Report and annex
- Impact Assessment and Annexes, Annex 9
- Impact Assessment: Executive summary
- Public consultation
Current legal framework
Public opinion surveys
Cybersecurity and the GDPR
The cybersecurity landscape is rapidly changing thanks to our increasingly digital lifestyle, the proliferation of connected devices and an evolution in the way that information flows through an organisation. As data becomes more available to business users, for example, this in turn makes it far easier for cybercriminals to access and abuse it. With the UK Data Protection Act fast becoming outdated, the GDPR presents a new, unified solution to protecting sensitive information, one that is consistent across the region and able to better protect information in this era of social, mobile and cloud-based sharing.
Understandably, the new regulation will have several implications for businesses processing data belonging to EU citizens – irrespective of their location – and preparations must be made to ensure compliance and avoidance of increasingly strict penalties. When enforced, the GDPR stipulates that data breaches must be reported to the relevant authorities within 72 hours of discovery if they’re likely to jeopardise the rights and freedoms of individuals affected, and records must be kept of all such incidents.
Regarding the aforementioned penalties, non-compliant organisations now face fines of up to four percent of their global revenue or €20,000,000 – whichever is higher, which will undoubtedly have a serious impact on a business’ bottom line. For less severe incidents, the fine will be reduced to two percent of revenue or €10,000,000.
What should be classed as sensitive data?
A key question to consider is that which concerns the definition of ‘sensitive data’. As we place more information online, this is a definition that is constantly evolving, and as such the term has been recently expanded to include genetic and biometric data, as well as online identifiers such as cookies, RFID tags and IP addresses. Whenever an organisation processes such information, it must first conduct a thorough audit of protective measures around that data, including safeguards, security and mechanisms to lower the risk of exposure and ensure compliance with the GDPR.
For many businesses, getting IT security right is a difficult challenge. We have witnessed big breaches at high profile brands from VTech to TalkTalk to Target, as well as the damaging fallout from a financial and reputational perspective. The GDPR offers a chance for organisations to seriously analyse their existing security mechanisms against a set criteria that will not only strengthen their cybersecurity position but also lessen the risk of a very expensive breach. For many, this process of adaptation will be difficult, time-consuming and costly, so it would be a good idea to start making mapping out future-proof security strategies, planning for the changes and investing in suitable technology sooner rather than later.
With cybercriminals going to extreme lengths to get their hands on sensitive or lucrative data, the ultimate goal for organisations should be to protect that data at all costs. We are living in an age where data breaches are almost inevitable, so it makes sense to defend data with encryption so that it remains illegible and virtually useless if and when it falls into the wrong hands. An inventory must be taken that accounts for all data that is produced, processed and stored so that full insight can be gained into how and where the information flows. A default strategy of ‘encrypt everything’ will be critical to ensuring compliance, and today’s advances in technology mean that encryption is no longer an expensive nor cumbersome process – in fact, it is now faster and easier than ever before to secure data with encryption, so there is very little excuse for organisations failing to do so.
That said, while this is a good start, effective protection must go beyond encryption – particularly when considering the threat from within. Access controls are an important extra layer of defence, ensuring that only users with the appropriate level of authorisation can access certain data sets. Once a user is granted access to an encryption key, their usage is fully controlled and accounted for, enforcing rules on data entitlements, preventing the sharing of access with another user as well as other factors such as time of day.
With these basic measures in place, organisations will be better placed to operate in a post-GDPR world. However, things change and it is important not to become complacent. Instead, data security should be considered a constant work in progress, with regular testing and evaluation of the effectiveness of these tools built into the overall data protection strategy.
In summary, the GDPR is a definite step in the right direction, and will hopefully bring about much needed change to organisations currently falling behind on critical security requirements – but although the deadline may seem far off now, it will most certainly creep up on us, with devastating consequences for those who failed to take heed.