In the first of a monthly series, Kris Lahiri, Chief Security Officer for Egnyte takes an in-depth look at the General Data Protection Regulation.
Later this year, the UK is expected to trigger Article 50 of the Lisbon Treaty, the first official step in its much publicised departure from the European Union.
At the end of the Brexit process, the UK will also introduce a Great Repeal Bill, which will “instantly annul the 1972 European Communities Act (ECA), which gives EU law instant effect in the UK.” This bill will convert existing EU law into domestic law and, from there, Parliament will work to decide which EU laws it will want to discard.
General Data Protection Regulation (GDPR) aims to iron out the differences between national privacy laws within Europe and to introduce “one stop” enforcement for multinationals. This will be determined via a lead regulator in the Member State where the organisation has its main establishment.
Among the laws to be considered at this time will be the EU’s newly adopted GDPR, a set of regulations that intends to update antiquated protections, such as those provided in the Data Protection Act of 1998 in the UK. The GDPR is set to go into effect 25th May 2018, pre-empting the UK’s departure from the EU, meaning UK companies need to prepare to meet these regulations, lest they face the penalties. Moreover, it is arguable that the UK should consider adopting the GDPR as its own, not only to further protect user privacy and data, but for companies to remain competitive in the EU.
How the GDPR Will Modernise Data Protection
The GDPR aims to modernise Europe’s data protection laws for the first time in over twenty years by bringing them in line with today’s digital world. The law intends to do this by governing over any use of EU citizen data, regardless of whether or not the entity using that data is a member of the EU. Even third-party service providers, such as data storage or cloud services, will now assume a shared legal responsibility for their suppliers’ data security measures.
Egnyte as a content governance and content intelligence provider is a prime example here. We have offices and data centres in both Europe and North America. We store our client data in either of those datacenters, depending on where the client resides. Going forward Egnyte as third party storage provider will need to adhere to GDPR for our European clients.
Organisations’ using or storing EU citizen personal or professional information will have to report any data breaches within 72 hours and be ready to demonstrate their security and data privacy procedures at a moment’s notice. Those found in violation of the GDPR will be subject to serious financial penalties—up to 20M Euros or 4 percent of turnover.
If your organisation is a not for profit, that will not protect you from this penalty, in that instance or any other example where an organisation makes no turnover, the organisation will still be liable to pay the fine of 20M Euro fine. If you are a very large enterprise and suffer a breach, the fine of 4% of turnover or 20M Euro, whichever figure is the higher, the organisation will be fined that amount.
One of the biggest areas of focus for the GDPR will be data governance and privacy impact assessments will be made mandatory for high-risk processing activities, such as banking clearing houses and personal insurance providers.
Whereas currently companies seemingly have free reign with user data, under the GDPR companies will need to demonstrate “privacy by design.” Stored user data will need to be pseudo-anonymised and privacy protection will need to be built directly into their staff policies. Citizens’ will have legal rights to bring about individual lawsuits and make compensations claims in the case of a data breach. For example, employers’ will need to store and protect your personal information in adherence to GDPR.
Unless organisations address this in employment contracts, employees could seek legal action post working at an organisation if the organisation suffered a breach. Advise to organisations is to get prepared. It will be easier to build these processes from the ground up, rather than trying to retro fit at a later stage.
Third-party data processors will be required to assess procurement processes and will likely have to abide by EU-approved boilerplate clauses in service provider contracts. (A marketing list purchase vendor will need to seek opt in preferences in accordance with GDPR when selling those lists to organisations’ for promotional activities, and this will need to be clear in any contractual arrangements they have with their clients)
The GDPR also imposes restrictions on entities transferring personal data to outside of the European Economic Area (EEA). Such transfers will only be able to be made lawfully under limited circumstances, due to the need to ensure adequate safeguards for the relevant personal data.
Consent must be provided by the owner of the data for each individual processing activity and this consent can be withdrawn at any time, at which point the organisation must not only comply, but they must pass that request on to other organisations to which they have granted access to that data.
Fast forward to 2018, GDPR has been established and the UK has adopted GDPR. Egnyte, like many other organisations headquartered out of North America, has customers in most if not all of the EU member states plus the UK. For this illustration, a customer of ours, is a large enterprise headquartered from North America, is working with a recruitment agency in the UK.
That agency is sharing information with their large corporate client who using our file share sync solution. The information contains highly confidential personal information of candidates for a senior position. This is the point and time when you need to have established and laid the foundations for the “right to be forgotten” the “right to erasure” and the “right to data portability.”
If one of those candidates wanted all of their data removed and erased, is your organisation able to do that? Does the technology you used to share the data have the capability to switch off access to that data? These are all of measures to take in to consideration and you must be able to respond swiftly if necessary.
Brexit and the GDPR
As noted, the timing of Brexit is such that, no matter how things play out with the passing of the Great Repeal Bill or the completion of Article 50, the UK will be fully subject to GDPR regulations for the better part of a year at least. And from there, the nature of the GDPR is such that any company dealing with EU citizen data, wherever they may be located, will be expected to meet its standards.
As such, UK-based organisations need to begin immediately to prepare for the GDPR. This is not a simple—or cheap—undertaking and for many organisations it will involve looking into systemic ways they use data and what needs to change to meet these new regulatory requirements around the “right to be forgotten, right to erasure and the right to data portability.”
Meeting them will not be as simple as imposing new rules within an organisation, but rather may affect business operations down to the core processes. Organisations need to designate a Data Protection Officer, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Adopting the GDPR
Ultimately, the GDPR will be good for businesses and users alike with stricter controls on flow and residence of data. GDPR will take in to account how we live in an online society as opposed to the current Data Protection Act 1998. And while it will represent big expenses in the years ahead as companies adapt to meet its strict stipulations, these expenses are dwarfed by those of experiencing a serious security breach—which resulted in fines averaged £3.14M in 2015, double that of the year before.
A reported 76 percent of Europeans fear their data is unsafe in the hands of private companies, and this number is unlikely to improve for companies not meeting updated regulations provided in GDPR. When the UK enacts its Great Repeal Bill, the GDPR is one EU regulation that it should consider adopting in whole, as it would severely handicap its companies by doing anything otherwise.
Don’t think if you operate and trade outside of the EU that this doesn’t affect you, it does. All non EU organisations targeting EU citizens with goods or services will be expressly caught by the rules. Organisations need to designate a representative in the EU to act as a point of contact with regulators and data subjects on compliance matters.