It’s been a long time coming but in 2018, the new EU General Data Protection Regulations (GDPR) are finally set to come into force, placing new requirements on anyone handling European consumer information. Despite Brexit, this will also apply in the UK to any company or organisation handling data from other European countries and following Brexit we can expect equivalent regulations to be added to UK law.
The positive implication of these new regulations is that cyber security must be given yet more priority as part of the compliance measures required. Considering that a recent industry report found that 97% of its respondents had already been victims of a data breach, more stringent cyber security measures are definitely going to play a large part in complying with the new regulations.
The motivations for compliance with this new set of regulations are bound to be largely financial, with the size of potential fines rising dramatically to up to 4% of annual turnover rather than fixed sums. For the bigger corporations, this is potentially millions in fines if they fail to comply.
What are the GDPR requirements?
The GDPR contains the following new requirements:
- If your business is not in the EU, you will still have to comply with the Regulations.
Anyone providing products, services or handling EU consumer data in any way will be expected to comply.
- The definition of personal data is broader, bringing more data into the regulated perimeter.
Under the GDPR, personal data includes anything which might enable identification of an individual, beyond the usual name, DOB, address etc.
- Consent will be necessary to process children’s data
Parental consent will be required before processing any personal data of a child under 16 years old, with member states having the flexibility to lower this to 13 years of age.
- Changes to the rules for obtaining valid consent.
Consent must be clearly given and may not be assumed.
- The appointment of a data protection officer (DPO) will be mandatory for certain companies.
All public authorities and any company which processes data as one of their core activities must now appoint a data protection officer with ‘expert knowledge of data protection law’.
- The introduction of mandatory privacy risk impact assessments
Data controllers will now be required to conduct ‘privacy impact assessments’ before carrying out any higher risk data processing activities.
- New data breach notification requirements
Data controllers must inform their Data Protection Authority within 72 hours of discovering any breach which presents a risk to consumer privacy, and higher risk breaches will also require them to inform the consumers themselves.
- The right to be forgotten
Consumers now have ‘the right to be forgotten’ (i.e their personal data no longer stored) and the regulations set out specific circumstances when this can happen.
- The international transfer of data
Organisations must consider the risk of transferring data to non-EU countries and processors who might not be compliant.
- Data processor responsibilities
Data processors now have direct legal responsibilities and can be held liable for data breaches. Contractual agreements with any third parties will need to be updated to properly stipulate respective responsibilities.
- Data portability
Data portability must be provided for, meaning consumers can request a copy of their data which can be electronically transmitted to another processing system.
- Privacy by design
The ‘privacy by design’ principle will require systems to take data protection into account from the inception of the system. It also stipulates that processors should only collect the information they specifically require and discard it when it is no longer needed.
- One-stop shop
There will now be single EU supervisory authority for data protection, rather than a separate one for each member state.
The above are the main requirements introduced by the GDPR. With specific reference to web application security and cyber security in general, the guidelines are relatively vague with article 32 ‘Security of processing’ stating that ‘the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
It then specifically refers to the use of encryption, backing up and testing. The guidance is then, as detailed in articles 40-42, to follow a customised code of conduct, produced by industry bodies and regulators and thereby being specific to the sector concerned. These codes of conduct will be reviewed and approved by the supervisory authorities. The industry bodies who have drafted the codes can then be accredited to monitor compliance in its sector.
Therefore, if an organisation can show that they have followed the appropriate code of conduct and thereby complied with the regulations, then they should be safeguarded against any penalties in the event of a breach. As specified in article 32, this will include ‘a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures’ which will no doubt include web application testing, for which governing regulatory bodies must set the standard in each sector, through the code of conduct.
The new penalties available for punishing organisations who have not complied with the regulations will be harsher than even the largest fines given previously by bodies such as the UK Information Commissioner’s Office, whose record fine went to Talk Talk in October at a sum of £400,000. Under the new GDPR powers, companies could be fine up to €20 million or 4% of global annual turnover, whichever sum is greater. There is however, a distinction between ‘data controllers’ and ‘data processors’ and it is only these data controllers who are subject to the largest fines. Data processors are subject to a lower level of fines, at a maximum of €10 million or 2% of global annual turnover. This is the first time that a party who simply process the data have been directly liable in the event of a breach, usually they would be merely contractually responsible to the data controller, who would hold the public liability in its entirety.
This massive increase in potential penalties is bound to have management taking action, with less than two years to ensure they are compliant. Any organisation handling consumer data should contact their regulatory body and identify the appropriate code of conduct to begin working towards compliance.
The GDPR represents a huge milestone for cyber security in Europe, with a clear and standardised approach being rolled out across the EU and harsher, broader ranging penalties being sure to improve the general standard of security across all sectors.
Security of processing
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
- The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.