Europe may soon pass a new data protection regulation. Here’s why you care.
It can be easy for an Information Security professional to watch the ongoing debate over Europe’s pending Data Protection Regulation with a skeptical eye. While parliamentarians dicker over the Right to Erasure (formerly known as the Right to Be Forgotten) and Privacy by Design, you’re worried about practical matters like managing BYOD or preventing the next DDoS attack.
But pay attention. The current draft of the new Regulation could present some serious alterations in the way you go about your day-to-day job if you’re operating in Europe, exchanging data with Europe or doing anything related to the cloud. The good news is that much of the terminology for this “privacy” law should be pretty familiar. The bad news may be that protecting your data from hackers might be just the beginning of your job.
So let’s take a look at some of the main pieces of the new Regulation and how they might impact you.
First off, it’s not enough to just secure your data anymore. Organizations will have to be very clear about what data they are collecting and how that data will be used. Meeting user expectations in a straightforward manner and observing the purpose limitations you outline in your privacy notice will be of paramount importance.
What happens if you do things with your customers’ data that you didn’t tell them you were going to do? Oh, just a little sanction on the order of 5 percent of annual turnover or $100 million. Which ever is BIGGER.
Of course, you’re probably saying to yourself, “That’s not my problem. It’s the privacy guy’s problem.”
However, the two fields are coming together like never before. Just as the U.S. federal government has merged its security and privacy controls in NIST’s 800-53, so, too, does the proposed EU Data Protection Regulation bring the two fields together. “Security” is mentioned more than 30 times in the document and IT pros ignore it at their peril.
Luckily, the document doesn’t try to create a new cybersecurity framework that will be foreign to you. The new Regulation reflects a shift to a risk-based framework – check out Recital 66 – that reflects the standard IT security approach you’ve likely been practicing for years. In fact, the whole concept of a Privacy Impact Assessment, which is heavily endorsed in the proposed Regulation, is based on risk analysis.
You can do that. And you can help the privacy team do that.
You’ll be working with them a lot. Calls for “Privacy By Design” and “Privacy By Default” in Article 23 of the document mean you’ll have to be baking privacy considerations into new products and services from the get-go. Like, at the initial stages of development. Privacy guys can’t code. Neither can lawyers. You’ll need to be working closely with the privacy and compliance teams to make sure great ideas don’t get short-circuited because privacy wasn’t considered early in the process.
Finally, there is perhaps the best and worst news coming in one piece: data breach notification requirements. If a breach happens, you’ll have one day to report it. And it may be confusing as to whom you’ll be reporting in the first place. Which means preventing data breaches will remain important, but so will recognizing them and reporting them. Otherwise, yes, that $100 million fine might be hanging over your head.
Examine articles 30-32 very closely. Much of it should be pretty straightforward, but the data breach obligations could be very new and different, indeed, depending upon how much business you’ve done in certain U.S. states with strict notification laws.
The good news is that your role will be vitally important. The bad news is that if you don’t do good work, very bad things could happen.
That’s why you’re going to want to be hand-in-glove with the privacy team, and get some privacy training yourself. You’re going to need to know how to recognize personally identifiable information, how to conduct impromptu privacy impact assessments and how to design programs and systems with privacy in mind.
Once you’ve got those tools available to you, the new Data Protection Regulation ought to be relatively pain-free, and may even raise your stature in the organization. With 5 percent of annual turnover riding on the line, you can be sure the CEO will be paying attention.
If you want more information on the Data Protection Regulation, the IAPP European Data Protection Congress in Brussels this December is a unique opportunity to learn more about the new regulation and interact with both regulators and like-minded professionals.