EU Data Protection Reform was put forward in January 2012 by the European Commission to make Europe fit for the digital age. At the last days of 2015, an agreement was found with the European Parliament and the Council, following final negotiations between the three institutions. This reform consists of the General Data Protection Regulation (GDPR), that governs the use and privacy of EU citizens’ data, and the Data Protection Directive, that governs the use of EU citizens’ data by law enforcement.
The General Data Protection Regulation (GDPR) as one of the instruments of this reform has finally been agreed after three years of discussion at many levels. It will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. According to European Commission:
“The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.”
The new rules will come into force most likely in the first half of 2018. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations.
Therefore, companies have the opportunity to comply with the new legislation in two years transition time. It is suggested to take on the GDPR readiness initiative before the deadline approaches.
GDPR has considered a hefty fine for some infringements of up to 4% of annual worldwide turnover. The financial impact of the GDPR enforcement on businesses makes it clear why data protection issues must be considered more deeply in executive level of organizations unless this issue has been addressed earlier and there is an allocated budget for compliance with GDPR, buy-in from top management, and a designated roadmap, processes, and people that ensure the organization will meet the regulation in two-year’s time frame.
There are two building blocks for compliance with GDPR. Firstly, a map of data flow that visualize where data comes entered the organization and where it leaves the corporate perimeter. An independent privacy analyst, Chiara Rustici emphasizes that mapping data flow is not just mapping data storage, but data in transit, too.
“GDPR meaning of “data processing” also includes retrieving, consulting, organizing, structuring, aligning, combining, disseminating, disclosing by transmission or soft-deleting data as well as collecting, storing and destroying it,” She said.
Secondly, organization-wide awareness of data protection principles is an important necessity that can happen with the help of the HR or T&D department. It might require a year of campaigning to get everyone realize their role as “data processors” and “data controllers”. In addition, it takes considerable time to embed new data architecture into business and get everyone familiarized with it.
While two years seem a long time away, but organizations should move towards the compliance and start implementing required changes without undue delay.
Let’s close with the timeline of the EU Data Protection Regulation
|January 2012||EC Vice-President, Commissioner Viviane Reding, published proposals to reform European data protection rules. This included a draft revised Data Protection Regulation.|
|May 2012||European Parliament committees began an exchange of views on the draft revised Data Protection Regulation.|
|July 2012||The first European Parliament working document was produced by lead rapporteur – MEP Jan Philipp Albrecht of the LIBE committee.|
|October-November 2012||The European Parliament led an inter-parliamentary hearing with national parliaments.|
|January 2013||A draft report and mark-up of the proposed regulation, based on earlier working documents, was released by Jan Philipp Albrecht.|
|March 2013||Opinions on Albrecht’s report and revised draft due from all other European Parliament advisory committees.|
|Autumn 2013||Informal negotiations between the European Parliament and the Council of the European Union. In October the LIBE Committee voted on a compromise text.|
|March 2014||The EU Parliament ran a plenary vote in first reading of the draft Regulation. and adopted the LIBE Committee’s compromise text.|
|May 2014||The Council met and produced a report. They reached a partial general approach on specific articles of the GDPR and held an orientation debate on the “one stop shop” mechanism.|
|October 2014||The Council reached a partial general approach on Chapter IV of the GDPR|
|March 2015||The Council reached a partial general approach on Chapters II, VI and VII.|
|Spring 2015||The Council continued to work at a technical level.|
|June 2015||The Council released their general approach. Trilogue negotiations between the three institutions are ongoing.|
|24 June||Kick off trilogue meeting|
|14 July||Second trilogue|
|17 December 2015||The EU General Data Protection Regulation was agreed.|
|2018||Revised Data Protection Framework is expected to come into force.|
About the Author
Ali Taherian (@ali_taherian) is an enthusiastic information security Officer. He’s finished his education in information security and has recently been involved in banking software and payment security industry. Taherian is proud to be certified IBM Cloud Computing Solution Advisor and ECSA and enjoys sharing and tweeting about security advances and news.
Edited by Pierluigi Paganini
(Security Affairs – General Data Protection Regulation, EU)