GDPR Data protection legislation passed that seeks to give citizens more rights over their personal data in the digital age
The European Parliament has officially approved the General Data Protection Regulation (GDPR) in Strasbourg, after more than four years of negotiations.
The GDPR has been in the planning since January 2012, and it aims to give citizens back control over their data in the digital age, including the right to be forgotten. It also imposes tough financial penalties on businesses for not protecting data.
Companies that do not comply with the strict new requirement will face fines of up to 4 percent of their global revenue for the previous year, or €20 million (£15.8m) depending on which is greater. In the UK for example, the maximum current penalty (under the UK Data Protection Act) stands at £500,000.
Firms will also have to notify data protection officials within 72 hours after becoming aware of a data breach, unless they can provide a reasoned justification for the delay.
Earlier this year nearly 80 percent of UK medium and large businesses said they were not confident they will be able to comply with the GDPR regulations that are set to be enforced from 2018.
“The European Commission welcomes the final adoption of the new EU data protection rules by the European Parliament, following the adoption by the Council last Friday,” said Frans Timmermans, vice president in charge of the Digital Single Market.
“Today’s vote marks a significant achievement, and the culmination of over four years of hard work with the European Parliament, the Council, business, civil society and other stakeholders.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all.The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”
The GDPR replaces the Data Protection Directive that was introduced in 1995, and the new law takes into account the arrival of the Internet, smartphones, and social networking.
There has been a mixed reaction from industry experts, with many noting the hefty responsibility now placed on firms to safeguard data, as well as individual regulators ensuring that the new law is implemented consistently across the common market.
“While we’re still two years away from these laws coming into play, it is a huge step forward in the fight against cyber criminals,” said Ross Brewer, VP and managing director of EMEA at LogRhythm.
“I’m sure many positives will come from these updated regulations, such as companies having to appoint a data protection officer if they are processing sensitive data at scale, as well as liability for data breaches extending to any data processors used by a data controller – both of which are logical changes in strategy if companies are truly serious about their cyber security.”
“However, I’m sure the items that are really causing companies to sit up and take note is the threat of hefty fines and the small breach disclosure window. To comply with this, organisations will need to take urgent steps to ensure that they fully understand and have clear visibility into all network activity at all times. Without such pervasive insight, it can be near impossible to detect, analyse and report a breach in just 72 hours.”
“This new regulation is being called the biggest shake up to EU data laws in the past 20 years – and they’re probably right. If organisations continue to plead ignorance when it comes to IT security, they will sadly suffer the consequences, which are getting more and more severe.”
The European Internet Service Providers Association (EuroISPA) agreed the GDPR is a key milestone in the Digital Single Market strategy.
“EuroISPA engaged intensively throughout the process of developing the General Data Protection Regulation (GDPR),” said EuroISPA. “Internet Services Providers have a crucial interest in ensuring users have trust and confidence in online services.
“While the new regulation mainstreams data protection rules across sectors, it is essential that the legislation is implemented across the EU in a harmonised manner. The GDPR was inspired by the need to harmonise fragmented data protection rules across the EU. This ambition needs to be maintained in the crucial implementation phase.”
And the GSMA also welcomed the final approval of the EU General Data Protection Regulation (GDPR).
“The introduction of stronger consumer rights and harmonised rules across Europe under the GDPR is fundamental to building trust and driving the uptake of new digital services by citizens across Europe,” said John Giusti, Chief Regulatory Officer of the GSMA.
“It is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness. Regulators will need to exercise particular care in interpreting GDPR requirements – around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries – to avoid stifling innovation in the digital and mobile sectors.”
How much do you know about the European Commission? Take our quiz!