{"id":21879,"date":"2016-04-15T11:05:01","date_gmt":"2016-04-15T11:05:01","guid":{"rendered":"http:\/\/www.businesscloudnews.com\/?p=249562"},"modified":"2016-04-15T11:05:01","modified_gmt":"2016-04-15T11:05:01","slug":"new-eu-data-regulations-receives-warm-reception-from-industry","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/new-eu-data-regulations-receives-warm-reception-from-industry\/","title":{"rendered":"New EU data regulations receives warm reception from industry"},"content":{"rendered":"<p><a href=\"http:\/\/www.businesscloudnews.com\/files\/2016\/04\/European-Union.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-249572 alignright\" src=\"http:\/\/www.businesscloudnews.com\/files\/2016\/04\/European-Union-300x190.jpg\" alt=\"Europe\" width=\"300\" height=\"190\" \/><\/a>The European Union finally rubber-stamped a refresh of the General Data Protection Regulations (GDPR) that offers greater protection for individuals but at cost of a greater burden on businesses, reports <a href=\"http:\/\/telecoms.com\/\">Telecoms.com<\/a>.<\/p>\n<p>In customary EU fashion this is the culmination of four years of to-ing and fro-ing since the refresh was first proposed. Even the final sign-off took four months to complete, with the text having been agreed last December. Furthermore the new regulations won\u2019t come into law until May 2018, giving all businesses who keep data on European citizens, which must include pretty much every multinational, two years to comply.<\/p>\n<p>&#8220;The new rules will give users back the right to decide on their own private data,\u201d said Green MEP Jan Philipp Albrecht, who led the drafting process. \u201cBusinesses that have accessed users&#8217; data for a specific purpose would generally not be allowed to collect the data without the user being asked. Users will have to give clear consent for their data to be used. Crucially, firms contravening these rules will face fines of up to 4% of worldwide annual turnover, which could imply \u20ac billions for the major global online corporations.<\/p>\n<p>&#8220;The new rules will give businesses legal certainty by creating one unified data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market. Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.\u201d<\/p>\n<p>Industry reaction has been broadly positive, but with caveats mainly concerning how easy it will be to comply and some concern about the high ceiling for potential fines. Compounding this is a requirement for companies to disclose data breaches within 72 hours of them happening, which is a pretty small window.<\/p>\n<p>\u201cThis will be a technical challenge for those businesses unaccustomed to such stringent measures,\u201d said David Mount of MicroFocus. \u201cThey will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers.<\/p>\n<p>\u201cWhile this may seem like a positive step towards improved data protection, the US example shows that in reality there can be an unintended consequence of \u2018data breach fatigue\u2019. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored. The effect is that sometimes consumers can\u2019t see the wood for the trees, and may start to ignore all warnings &#8211; which somewhat negates the point of the measure.<\/p>\n<p>\u201cIt is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness,\u201d said John Giusti, Chief Regulatory Officer of the GSMA. \u201cRegulators will need to exercise particular care in interpreting GDPR requirements \u2013 around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries \u2013 to avoid stifling innovation in the digital and mobile sectors.<\/p>\n<p>\u201cAll eyes are now on the review of the e-Privacy Directive. The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish. To this end, the GSMA calls on legislators to address the inconsistencies between the existing e-Privacy Directive 2002\/58\/EC and the GDPR.\u201d<\/p>\n<p>The e-Privacy Directive covers things like tracking and cookies and seems to focus specifically on telecoms companies in the way they process personal data. So for the telecoms sector specifically this refresh could be even more important than the GDPR. The European Commission initiated a <a href=\"https:\/\/ec.europa.eu\/digital-single-market\/en\/news\/public-consultation-evaluation-and-review-eprivacy-directive\">consultation<\/a> on ePrivacy earlier this week and will conclude it on 5 July this year.<\/p>\n<p>William Long, a partner at Sidley Austin, warned that individual countries may view the new GDPR differently. \u201cThere are still a number of issues where some member states have fought successfully to implement their own national law requirements, for instance in the area of health data, and this will no doubt lead to certain complexities and inconsistencies,\u201d he said.<\/p>\n<p>\u201cHowever, organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the Regulations. The penalties for non-compliance are significant \u2013 at up to 4% of annual worldwide turnover or 20 million euros, whichever is the greater. Importantly, companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance.\u201d<\/p>\n<p>\u201cOur own research shows that globally, 52% of the information organisations are storing and hoarding is completely unknown \u2013 even to them, we call this \u2018Dark Data\u2019,\u201d said David Mosely of Veritas. \u201cFurthermore, 40% of stored data hasn\u2019t even been looked at in more than three years. How can companies know they\u2019re compliant if they don\u2019t even know what they\u2019re storing? This is why GDPR represents such a potentially massive task, and businesses need to start tackling it now.\u201d<\/p>\n<p>\u201cIn order for data to remain secure, there are three core components that are now vital for EU businesses,\u201d said Nikki Parker of Covata. \u201cFirstly, encryption is no longer an optional extra. It provides the last line of defence against would-be snoopers and companies must encrypt all personally identifiable information (PII).<\/p>\n<p>\u201cThe second component is identity. True data control involves knowing exactly who has access to it and this can be achieved through encryption key management. Enabling businesses to see who has requested and used which keys ensures a comprehensive audit trail, a requirement of the new regulation.<\/p>\n<p>\u201cFinally, businesses must set internal policies that specifically outline how data can be used, for example, whether data is allowed to leave the EU or whether it can be downloaded. Applying policies to each piece of data means access can be revoked at any moment if the company feels it is in violation of the ruling.\u201d<\/p>\n<p>All this is happening in parallel with the overhaul of the rules governing data transfer between Europe and the US, known as the <a href=\"http:\/\/www.businesscloudnews.com\/2016\/04\/12\/microsoft-endorses-eu-us-privacy-shield-despite-criticism-from-eu-industry-commentators\/\">Privacy Shield<\/a>. By the time the GDPR comes into force pretty much all companies are going to have to tread a lot more carefully in the way they handle their customers\u2019 data and it will be interesting to see how the first major transgression is handled.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The European Union finally rubber-stamped a refresh of the General Data Protection Regulations (GDPR) that offers greater protection for individuals but at cost of a greater burden on businesses.<\/p>\n","protected":false},"author":105,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4115,1671,1976,2175],"tags":[],"class_list":["post-21879","post","type-post","status-publish","format-standard","hentry","category-data-regulation","category-european-commission","category-news-analysis","category-policy-and-regulation"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/21879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/105"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=21879"}],"version-history":[{"count":2,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/21879\/revisions"}],"predecessor-version":[{"id":21890,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/21879\/revisions\/21890"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=21879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=21879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=21879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}