Nicky Stewart says public sector bodies and their suppliers must put measures in place to avoid large fines for data breaches.
New year, new data protection regulations. Towards the end of last year, EU officials agreed on the final text of the General Data Protection (GDPR), which will be implemented by 2018. The new protection reforms will harmonise existing data protection regulation across the EU, making it much easier for companies to conduct business across EU borders, and will also give much stronger data protection rights for data-subjects, including the controversial ‘right to be forgotten.’
The regulation aims to make Europe the safest place in the world in terms of data protection, with a renewed focus on protecting European data at both the citizen and corporate level. Although there is a two year transition period before the regulation becomes law in the UK, public sector bodies and suppliers, SMEs in particular, need to start familiarising themselves with the new regulation now, in order to understand their obligations and to begin planning for the new legislation.
SMEs must consider whether or not they need to hire or train up a data protection officer who is expert in the new law, which is highly likely if they process personal data, as most technology companies do. Supply and demand means that these data protection officers are likely to be an expensive commodity.
Related content
Councils uncertain over effect of European Union General Data Protection Regulation fines
How to prepare for 2016 in the cloud
Some of the more obvious changes to the regulation include a tougher restriction on consent to collect data, increasing the age to 16 years old and removing data from company servers when ‘right to be forgotten’ requests are issued. Companies will also be required to report data breaches within 72 hours of the occurrence and establish a single national office where data protection complaints can be fielded.
One example of how the regulation will function is that any request from a third country for personal data will only be recognisable or enforceable if there is an international agreement, such as a mutual Legal Assistance Treaty in place.
Data Protection Authorities will be able to impose maximum fines of €20,000 or 4% of a company’s global turnover (whichever is the higher) for any of the regulation, with a low cap of €10,000 or 2% of a company’s global turnover (whichever is the higher) for minor breaches of the regulation. These penalties are much higher than the penalties the Information Commissioner can impose today (a maximum of £500,000 for serious breaches).
The forthcoming GDPR does permit a number of restrictions and exemptions by member states, which relate to a broad range of prescribed scenarios, such as (but not limited to) national security, the prevention and detection of crime, ranging through to personal expression, health and employment.
While this does give member states a necessary margin of manoeuvre, the regulation is very clear about the conditions under which any restriction or exemption could be made: this includes purpose, scope, safeguards and proportionality.
The exemptions and restrictions are not limited to public sector bodies, and would be determined by each member state. In my view, the regulation does not give a carte-blanche for public sector organisations to opt out of the regulation, and restrictions and exemptions are similar in scope to those that already exist under current data protection regulation (the Data Protection Act 1998).
In our experience, public sector bodies take their data protection obligations very seriously indeed. Whilst the GDPR will give Data Protection Authorities the ability to impose much higher penalties for breaches, I do not believe that the restrictions could or would be abused to avoid the new regime – although there is still a lack of clarity about how the penalties might be applied to public sector bodies.
Overall, the new streamlined data regulation is a positive move, bringing EU legislation on data protection under a single market jurisdiction, minimising the restrictions of conducting data storage business across EU borders. There are some detailed aspects of the regulation which have been controversial and challenging. We now understand the regulatory establishment we will be working under in approximately two years’ time, and the onus must be on all of us to prepare for the new regime, so that our transition, and our customer’s transition is seamless and easy.
Nicky Stewart is commercial director at Skyscape Cloud Services