What CISOs Need to Know About New EU Data Privacy Regulations
First in a two-part series
The European Union (EU) recently passed some of the most aggressive data privacy regulations in existence. The General Data Protection Regulation replaces the European Parliament and Council Directive 95/46/EC of 1995 – also known as “the ancient past” in tech time. The new rules let individuals exert more control over their personal data in a world where that information is collected and used by companies in ways that couldn’t have been imagined 20 years ago.
The GDPR also establishes a single set of data protection rules that apply across the EU, doing away with the medley of data privacy requirements that existed across member states.
The new GDPR rules aren’t just for EU organizations to adhere to. Businesses based in the U.S. or headquartered outside of the EU are expected to be subject to them as well, if they offer goods or services there and collect data belonging to EU citizens as part of their transactions. Regardless of operational location and where personal data is processed, then, these companies should prepare to demonstrate compliance on a number of fronts.
A paper published last month by international law firm Allen & Overy LLP offers a good summary of what CISOs and others need to do to become compliant with the new rules, including:
- Organizations that have control over personal data (data controllers) must conduct a data protection impact assessment for more risky processing and implement data protection by design and by default.
- They must be able to show that a data subject’s consent was freely given for the processing of their data, and explicitly so in the case of sensitive data.
- They must issue alerts to data protection authorities about data breaches within 72 hours of becoming aware of them.
- Data processors who process data on the controller’s behalf have direct obligations as well. They include implementing technical and organizational measures, such as potentially appointing a Data Protection Officer, and notifying controllers without delay of data breaches.
Others studying the regulations have called attention to limitations in the amount of time data controllers may keep an individual’s data. They also need to clearly explain to individuals their safeguards and rights around the processing of their personal data such as their right to object to its use for direct marketing. Companies also need to explain to individuals how they can exercise their data privacy rights, including the provision they provide a way for individuals to:
- Get access to their data
- Correct any errors in it
- Withdraw consent for its use
It’s also been noted that businesses have two years to assess the new GDPR regulations and get their compliance measures in order. Allen & Overy Partner Nigel Parker states in the law firm’s report that many companies are re-examining their processes and procedures now in order to ensure compliance.
Safe Harbor Invalidated
As if that weren’t enough to deal with, changes to data privacy regulations that affect companies in the U.S. aren’t over yet. Last fall, the Safe Harbor framework that governs citizens’ personal data transfers from the EU to the U.S. was invalidated by the Court of Justice of the European Union. It cited as its reason for doing so the indiscriminate surveillance by the U.S. government for its national security purposes, which the Court believes endangers the data privacy protections that U.S. companies operating in the EU under that framework had put in place. Negotiations to replace the framework are underway between the U.S. and the EU.
But in the meantime, American companies will have to come up with their own ways to demonstrate compliance with privacy regulations for personal data transfers if they hope to continue such data sharing across the Atlantic. The self-certification standards American companies were able to use to show that they met with specific European privacy standards under the Safe Harbor framework seem to be a thing of the past.
Successfully meeting the EU’s more stringent data privacy requirements in the GDPR, and whatever may come of the Safe Harbor framework redo, will take a coordinated effort from the companies that do business with citizens there. Those efforts call for cooperation from senior business leaders, governance officers, and security and IT executives, and possibly outside partners with expertise in the compliance and security realm.
In our next blog post in the series, we’ll discuss the EU’s new Directive on Cybersecurity and what it means for North American companies doing business in Europe and how it will impact their cyber security operations.