[BreachExchange] Breach notification in Europe: The GDPR’s far-reaching implications

Mon Mar 14 19:21:09 EDT 2016

http://www.itproportal.com/2016/03/12/breach-notification-in-europe-the-gdprs-far-reaching-implications/

In 1995, Iomega introduced the Zip Drive. Palm Pilots were two years from
being introduced to the market. In technical terms, 1995 is a very, very
long time ago. It was also the year the EU introduced the Data Protection
Directive. The EU Directive far outlasted Zip Drives and Palm Pilots, but
even it is in need of a refresh. That refresh will coming with the new EU
General Data Protection Regulation (GDPR), which will bring a great deal of
change for businesses once the regulation becomes law in 2018.

These changes reflect today’s climate, where cybersecurity incidents are
inevitable for any business. The aim of the GDPR is to create clear
guidelines across the common market to ensure that organisations are
guaranteeing the safety of their data – bringing in compliance measures
that will be new practice for a lot of companies operating in the Europe.

Mandatory breach notification

One of the most significant of these changes is mandatory breach
notification. The GDPR stipulates that organisations that are breached will
now have 72 hours to report it to the proper channels. The cost of breaking
this rule is high, with potential fines set at up to four per cent of
annual global revenue.

Breach notification laws have only been ratified in a few EU states prior
to the GDPR, so this will be an area of compliance new to many
organisations. It may also well be an unwelcome change for companies who
fear the brand damage of having their breaches made public.

But with this increased burden, the drafters may take the opportunity to
streamline the process. There are two areas ripe for improvement: the
definition of personal information and methods of reporting.

What is personal information?

The GDPR’s definition of personal information is essentially information
that can identify a person. This is a circular reference, different from
other countries’ standards that take the more mathematical approach of
name-accompanying information such as identification number, bank, or
medical information.

How to notify

As for methods of notification, the more centralised the better. But the
GDPR has already slipped away from early hopes of one-stop reporting. Now,
we are looking at country-based Independent Supervisory Authority
notification.

The EU also has the opportunity to become more objective and less
subjective when it comes to defining reasonable security measures to
protect personal information. By updating legislation on how organisations
should handle, store, and protect data, it will ultimately make it easier
for companies to comply and avoid penalties, as well as reducing compliance
costs, complexity, and uncertainty over legal responsibility.

Breach notification’s potential

The EU has the opportunity to create the most streamlined breach
notification standard in the world. Somewhat counterintuitively, this is
because Europe has neglected breach notification for such a long time. Much
in the same way that less developed countries were able to lead the way in
the uptake of mobile and wireless communications, the starting-from-scratch
position is exactly what may allow Europe to take the lead on breach
notification.

A chance for best practice

This uniformity – ultimately reducing 28 sets of data protection laws into
a single regulation – means that Europe’s GDPR could quickly become the
leading example of cross-market standardisation. It may also encourage
investment in member states and Europe as a whole. By removing regional
complexities and articulating more clearly and objectively the requirements
of adequacy, there could be less confusion for companies looking to invest
in one of the member states. It’s really in the hands of the drafters and
implementers.

The world has changed since 1995, and is continuing to change at an ever
faster rate. We now get to see if the EU is ready to hit the refresh button
and jump into the lead position or if it defaults to a confederated and
ambiguous regime.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160314/46efd60f/attachment.html>