The 3 major law making bodies in the European Union (EU parliament, EU commission and the EU council) have just this Tuesday agreed on the final terms of the new General Data Protection Regulation (GDPR). After some more formalism, which shall happen in early 2016, such regulation will go into effect in 2018. Sounds like a long time, but if you take into account assessment and changes you need to make, it might be shorter then you think and why wait, if you can start today, and implement flexible solutions to adopt to any further regulations and also take care of the invalidation of Safe Harbor at the same time.
The new regulation will have a couple of rules which will make things easier and others which will put new duties on you and your company.
First, and finally, data protection laws will be identical and will (hopefully) be identically enforced in all EU member states. Going to Dublin will not anymore assure that you have lesser rules to adhere to, then if you operate in Austria.
In order to use data you will have to get explicit consent:
“The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.” said Jan Phillip Albrecht, the lead of the Members of the European Parliament for this regulation.
Up to a 4% of the annual revenue of a company can be fined by the regulatory bodies for violations against the GRPD, therefor it is wise to start planning now. Combined with the invalidation of the existing Safe Harbor regulations and uncertainty about its future, means that 2016 is the year to assess and implement alternatives which will make you future proof and flexible.
Requiring companies to inform national regulators within three days of any reported data breach means that you do need to react quick. What if your cloud provider only tells you after 5 days?
Therefore it is time to find out where your data and your documents are located. Where are the servers hosted and who has access and what are the procedures and mechanism for protection and reporting?
The earlier you are starting to implement changes, the more time you will have to make things great!
The majority of companies expect the need to change current procedures. This, and more, is a result of a study Ovum and Intralinks have done.