by Bharat Mistry
They must have put something in the water round the EU negotiating table this month. Barely a week after a landmark deal was agreed to implement the Network and Information Security (NIS) Directive, the European Parliament and Council have cleared the way for an imminent final agreement on the much-anticipated EU General Data Protection Regulation (GDPR). As it stands, the new region-wide law will have a major impact on the way UK organisations handle and protect their customers’ data.
The message for CISOs is clear: it’s time to get serious about compliance plans.
A brief history of GDPR
The regulation has been nearly four years in the making. It will harmonise laws across the European Union and must be implemented ‘as-is’ by all member states – so there’ll be no more negotiation or localisation possible after it’s voted on finally by Parliament in the new year. The good news is that it will not take effect for two years after that, which is just as well, as the changes it brings will effect a huge shake-up across the continent and beyond – to any company with EU customers.
Here are some of the main elements of the regulation as it now stands after the “strong compromise” reached between the European Parliament and Council.
- Fines of up to 4% annual turnover for breaking the rules
- Data Protection Officers (DPOs) must be appointed if organisations “process sensitive data on a large scale or collect information on many consumers”
- Right to be forgotten – if no legitimate grounds for retaining it, info on an individual must be deleted if requested
- Right to data portability – easier transfer of data between service providers
- Mandatory breach notifications – to relevant supervisory authority within 72 hours, in the event of a “serious” breach
- One stop shop – single regulator for multi-nationals in the country where they have their HQ
- Consent – businesses must get users’ explicit consent to use their data
What it means
The regulation is good news for consumers increasingly concerned about how businesses use their data. But on the corporate front it will mean some big changes – not least to ensure data is kept secure. The NIS Directive was one thing, but the GDPR will mandate breach notification for a much bigger swathe of organisations. Coupled with the prospect of huge fines for non-compliance, this will focus the board to put information security at the heart of their spending plans.
For CISOs, this is good and bad news. On the plus side there should be more money freed up, but unfortunately this will likely be combined with intense scrutiny from above. There’s also the question of who to choose to fill the tricky DPO role. Ideally they’ll act like a mini regulator – familiar with both the legal compliance aspect of data protection laws, as well as data security, and a whole host of IT process and business continuity issues. That won’t be easy.
On the other hand, there’s good news for smaller firms. SMEs will be exempt from the breach notification requirements and the appointment of DPOs, and can even charge a fee if it is deemed that access requests are “manifestly unfounded or excessive”.
As with NIS, the devil’s in the detail and we’ll know a lot more once the regulation has formally been passed. But CISOs will soon find out that two years is not a long time to get their houses in order.