General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Europe's Strong GDPR Privacy Rules Go Into Full Effect

It's May 25: Do You Know Where Your Data Protection Polices Are?
Europe's Strong GDPR Privacy Rules Go Into Full Effect
European Union flag. (Photo: Yanni Koutsomitis, via Flickr/CC)

Europeans' enhanced privacy rights are now in full effect.

See Also: Using the Netskope HIPAA Mapping Guide

As of Friday, Europe's General Data Protection Regulation is being enforced by EU member states' privacy watchdogs.

"May 25th, 2018, is the date from which the data protection authorities and the supervisory authorities in each of the member states within the EU will start enforcing the regulation and start looking at organizations to make sure they are compliant with GDPR and making sure that they are protecting people's personal data in accordance with the requirements set out in the regulation," data protection expert Brian Honan, who heads Dublin-based BH Consulting, tells Information Security Media Group.

GDPR now stands as the world's toughest privacy law, in that it gives Europeans a greater right to privacy, in part, by holding organizations that store Europeans' data to strict standards of accountability and transparency.

Protects 'Data Subjects'

"Compared to the previous legal framework within the EU, GDPR ... introduces an enhanced approach on governance, accountability, the role of data protection officers, data breach notifications, risk-based strategies, security measures, consent giving and fines, providing a sound future-proof legal framework in favor of the data subjects," the EU's cybersecurity agency, ENISA, says. "Notions such as 'data protection by design and default' and 'the right to be forgotten' open up new possibilities in practice for sensible protection of fundamental rights."

The specific requirements imposed by GDPR vary and can differ based on industry and organizational size. But they apply worldwide to any organization that accesses, stores or works with Europeans' personal data (see GDPR Enforcement Begins: Impact on Healthcare, Banking).

Organizations that need to comply with GDPR must be able to demonstrate that their approach to data privacy and complying with the regulation is both transparent and accountable, says information security expert Brian Honan.

For the first time, Europe also now has a mandatory breach reporting regulation. Many organizations must also have in place a data privacy officer, in charge of their organization's data privacy practices. And organizations are required to provide Europeans with a copy of the personal information they store on them, on request, as well as to field consumers' requests that their personal details be "forgotten," although that right is not absolute.

GDPR: In Effect Since 2016

The need to comply with GDPR appears to still be sending organizations scrambling to figure out just what that means, not only in Europe but everywhere from Australia and India to the Middle East and United States.

But the countdown to GDPR enforcement day has been a long time coming, following EU members states on April 6, 2016, agreeing to the major new reforms. While GDPR has been in effect since then, the EU included a two-year grace period to give organizations time to begin complying.

"Our new data protection rules were agreed for a reason: Two thirds of Europeans are concerned about the way their data was being handled, feeling they have no control over information they give online," says European Commission Vice President Andrus Ansip, who's from Estonia.

"Companies need clarity to be able to safely extend operations across the EU," he says. "Recent data scandals confirmed that with stricter and clearer data protection rules we are doing the right thing in Europe."

European officials continue to stress that privacy is a right that must be protected.

"Data protection is a fundamental right in the EU. The new rules will put the Europeans back in control of their data," says European Commission Justice Commissioner Vĕra Jourová. "Now we have a choice and can decide what happens and who has what sort of data. You can ask and companies have to tell you. You can also recover your data if you leave or change service."

Data Protection: Risk-Based Approach

Jourová says the single regulation - applicable to all EU members states, as opposed to the previous data protection directive which each member state interpreted - will make it simpler for organizations to comply as well as to do business across Europe.

"The rules are based on a risk-based approach," she says. "Companies that have been making money from our data, have more responsibilities. They should also give something back to the consumers; at least the security of their data. Companies which do not process data as their core business activity have less obligations and mainly have to make sure that the data they process are secure and used legally."

Stronger Potential Sanctions

Organizations that violate GDPR face fines of up to 4 percent of their annual profits or €20 million ($23 million), whichever is greater. The laws will be forced by member states' information commissioners, who serve as Europe's independent privacy watchdogs.

Elizabeth Denham, the U.K.'s information commissioner, has signaled that large fines won't be imposed on companies that are trying to get their GDPR compliance right, but rather for intentional violations or gross negligence. Regardless, she's called on businesses not to focus on the fines, but rather respecting people's privacy rights, and getting and staying compliant with GDPR (see Countdown to GDPR Enforcement: Deadline Looms).

To help, the ICO has been publishing a series of guides for businesses, addressing everything from GDPR myths to questions about what constitutes personal data.

"Almost everything we do - keeping in touch with friends on social media, shopping online, exercising, driving, and even watching television - leaves a digital trail of personal data," Denham says.

"We know that sharing our data safely and efficiently can make our lives easier, but that digital trail is valuable. It's important that it stays safe and is only used in ways that people would expect and can control," she adds.

First GDPR Complaints Get Filed

Some organizations' approach to complying with GDPR is already set to be tested. At midnight on Friday, Austrian privacy rights campaigner Max Schrems filed three complaints worth €3.9 billion ($4.6 billion) against Facebook and its WhatsApp and Instagram subsidiaries, and another complaint worth €3.7 billion ($4.3 billion) against Google's Android operating system. He's accused them of forcing users to accept "coercive" new terms that undercut GDPR's protections.

Schrems heads a new privacy lobbying group call noyb - for "none of your business."

Facebook's Instagram requires a user to agree with all of its terms and services or else their account will be deleted. (Photo: noyb)

"Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the 'agree' button - that's not a free choice, it more reminds of a North Korean election process," Schrems says in a statement.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.