On December 15, 2015, the 28 EU Member states finalized the language of the new General Data Protection Regulation, meaning that a single set of information security rules will be enforced in the EU starting around 2018—providing organizations a two-year period to become compliant.
The new law will apply to both organizations based within the EU, as well as organizations based outside the continent that offer services to EU users.
So what good tidings does the new regulation bring to the New Year? Here are several:
Uniform EU-wide enforcement
Whereas the regulation’s predecessor, the EU General Data Protection Directive, served as a legal basis that was individually interpreted and enforced by each member state, the newly completed Regulation will be uniformly interpreted and enforced, eliminating ambiguity and diverse levels of enforcement.
Privacy by design
Data protection and data privacy solutions, procedures and processes must be built into business products. At any given time, a company will be required to have visibility into the data it processes and stores, and be able to answer the five W’s (the Who/Where/What/When/Why) of personal data under its control to ensure that appropriate mitigation measures have been implemented.
Hefty fines for non-compliance
Significant fines will be imposed on companies for non-compliance, the upper limit of which will be the higher sum among €20 million or 4% of global revenue.
Compulsory data breach notification
In the event of a data breach, companies will be obliged to notify affected users without undue delay. Exceptions include instances where the risk associated with the leaked data is inconsequential, as well as cases in which the compromised data is rendered unintelligible for hackers. For example, data scrambled through the use of encryption or tokenization solutions would be rendered useless to hackers, and leaked passwords would be equally unusable if coupled with multi-factor authentication (e.g. strong authentication that leverages PKI security or OTP authentication).
Mandatory Data Protection Officer
Organizations that are public authorities or publicly traded companies will be required to appoint an independent Data Protection Officer, providing a single point person accountable for the implementation of the regulation.
With Gemalto being a global publicly-traded company incorporated in the EU, my colleagues will undoubtedly provide further insights into the new law as the year unfolds.
Wishing all a safe and secure 2016!
Is your data safe and secure? Protect your data, start by exploring Gemalto’s Data Compliance Solutions.