Compliance with the New EU Data Protection Regulation
This summer sees the passing of the New Data Protection law, the first major in the EU since 1995. Affecting all EU nations and any business who holds information or trades with European businesses or individuals, the new legislation will affect almost every UK business.
So what does the new EU GDPR state?
Article 30 states that “Companies shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate:
(a) The pseudonymisation and encryption of personal data; (b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; (c) The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; (d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
In simple terms, the article states that organisations must implement and maintain appropriate security measures and solutions to protect personal data. Encryption of data is specifically mentioned in this article as a method of achieving such protection. The ability to maintain that level of protection is also mentioned in the article and so possessing a strong key management solution is in place for any encryption solution is also imperative. The article also talks about business continuity and disaster recovery of systems containing sensitive data.
In Article 31, the new legislation states that organisations must notify the supervisory authority within 72 hours of a data breach. The company may also have to notify every individual affected by the breach. Such public notifications of a data breach can have serious PR and reputation damage to organisations. In recent years we have seen CEO’s of major businesses paraded on TV and in the newspapers, apologising for failing to take adequate steps to protect client’s data. These apologies are often coupled with regulatory fines, now increased in this legislation to £16 million, imposed on companies not taking sufficient action to protect data.
Article 32 States “where an organisation: has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption;”
In lay man’s terms if, at the time of the loss, the organisational had implemented a solution that meant that the data was protected in such a way as to be unintelligible (unreadable and useless to third party), and the organisation can prove this to the supervisory body, then the organisation is not required to disclose the breach. Such measures also mean the likelihood of a fine from the supervisory body is greatly reduced or completely mitigated.
However, if an organisation chooses not to make investments in technology that protects data in this way then provisions are made in the legislation to fine companies up to £16million or 4% of global turnover, whichever is higher.