In 1995, Iomega introduced the Zip Drive. Palm Pilots were two years from being introduced to the market. In technical terms, 1995 is a very, very long time ago. It was also the year the EU introduced the Data Protection Directive. The EU Directive far outlasted Zip Drives and Palm Pilots, but even it is in need of a refresh. That refresh will coming with the new EU General Data Protection Regulation (GDPR), which will bring a great deal of change for businesses once the regulation becomes law in 2018.
These changes reflect today’s climate, where cybersecurity incidents are inevitable for any business. The aim of the GDPR is to create clear guidelines across the common market to ensure that organisations are guaranteeing the safety of their data – bringing in compliance measures that will be new practice for a lot of companies operating in the Europe.
Mandatory breach notification
One of the most significant of these changes is mandatory breach notification. The GDPR stipulates that organisations that are breached will now have 72 hours to report it to the proper channels. The cost of breaking this rule is high, with potential fines set at up to four per cent of annual global revenue.
Breach notification laws have only been ratified in a few EU states prior to the GDPR, so this will be an area of compliance new to many organisations. It may also well be an unwelcome change for companies who fear the brand damage of having their breaches made public.
But with this increased burden, the drafters may take the opportunity to streamline the process. There are two areas ripe for improvement: the definition of personal information and methods of reporting.
What is personal information?
The GDPR’s definition of personal information is essentially information that can identify a person. This is a circular reference, different from other countries’ standards that take the more mathematical approach of name-accompanying information such as identification number, bank, or medical information.
How to notify
As for methods of notification, the more centralised the better. But the GDPR has already slipped away from early hopes of one-stop reporting. Now, we are looking at country-based Independent Supervisory Authority notification.
The EU also has the opportunity to become more objective and less subjective when it comes to defining reasonable security measures to protect personal information. By updating legislation on how organisations should handle, store, and protect data, it will ultimately make it easier for companies to comply and avoid penalties, as well as reducing compliance costs, complexity, and uncertainty over legal responsibility.
Breach notification's potential
The EU has the opportunity to create the most streamlined breach notification standard in the world. Somewhat counterintuitively, this is because Europe has neglected breach notification for such a long time. Much in the same way that less developed countries were able to lead the way in the uptake of mobile and wireless communications, the starting-from-scratch position is exactly what may allow Europe to take the lead on breach notification.
A chance for best practice
This uniformity – ultimately reducing 28 sets of data protection laws into a single regulation – means that Europe’s GDPR could quickly become the leading example of cross-market standardisation. It may also encourage investment in member states and Europe as a whole. By removing regional complexities and articulating more clearly and objectively the requirements of adequacy, there could be less confusion for companies looking to invest in one of the member states. It’s really in the hands of the drafters and implementers.
The world has changed since 1995, and is continuing to change at an ever faster rate. We now get to see if the EU is ready to hit the refresh button and jump into the lead position or if it defaults to a confederated and ambiguous regime.
Gant Redmon, VP of Business Development, Resilient Systems