On April 14, 2016, the EU Parliament passed the long-awaited new EU rules for personal data protection (GDPR). Everyone who holds or processes data on individuals in the 28 countries of the EU has until Star Wars Day 2018 (May 4) to comply.
The top 10 provisions of the regulation are:
- It is a global law. No matter where you are in the world, if you have data on individuals in the EU and lose it, you are responsible and can be fined. As an example, if you have a web site and a European comes on and enters their contact information, you have to conform.
- Increased fines. Up to 4% of global turnover or €20,000,000 (US$22M)
- Opt-in regulations. Users must give clear consent to opt-in to their data being collected and you must only use it for the purpose defined. No opting out, no hidden terms, no selling/giving data to other people.
- Breach notification. If you lose data, you have 72 hours to tell the authorities.
- Joint liability. If multiple companies process the data, they are all liable if data is lost, so if you hold data YOU are responsible if data gets lost via a risky cloud service.
- Users can demand their data back, that it is updated and deleted. If you hold data, you need to work out how to achieve those.
- Removes ambiguity. One law across all 28 countries of the EU.
- Common enforcement. The authorities are expected to enforce consistently across all the countries, the good news is data holders only need to deal with one authority.
- Collective redress. Users can sue together if data is lost in class action lawsuits.
- Data transfer. Data transfer from the EU is allowed, but subject to strict conditions.
If you work for a company collecting data, you are responsible for the security of that data no matter where it gets processed. It’s more important than ever that you know the shadow IT services that employees may be using, as they could be the conduit for data loss and your organisation will be liable.
There’s some good news for IT in the regulation – the new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default. So capabilities such as encrypting data before it is uploaded to the cloud, especially when harnessed with keeping the keys on premises, can reduce your liabilities.
This is good news for EU citizens, as they will have strong and clear rights over their personal data, its collection, processing and security.
Some organizations have in the past treated personal data as a cheap commodity but this regulation clearly shows how valuable data really is and demands that they treat it with great respect.
We should all put a value on data about ourselves and our families and embrace this legislation because the outcome is that all of our data will be safer.
Nigel Hawthorn, EMEA Marketing Director, Skyhigh Networks
[Cloud Security Alliance Blog]