Start preparing immediately for the EU's new General Data Protection Regulation, even though it doesn't go into force for two more years.
"We're advising our clients to start right now," says cybersecurity expert Brian Honan, who heads Dublin-based BH Consulting. "While two years sounds may sound [like] a long time, there's a lot of work to do." That includes coming to grips with changes to information-gathering and consent practices, Europe's first-ever mandatory data breach notifications for all organizations, as well as a new requirement for many organizations that handle people's personal information to appoint a data protection officer.
After years of related negotiations, the European Parliament and European Council on April 8 enacted the GDPR, which will go into force on May 25, 2018. It replaces the 1995 Data Protection Directive, which all EU countries interpreted and enacted by passing their own, national laws, which created a patchwork of similar - but slightly differing - laws across Europe.
By contrast, the new data protection regulation will apply equally across all 28 EU member countries, and it toughens Europe's already vaunted privacy protections for consumers. Furthermore, any organization worldwide that handles Europeans' personal data will have to comply. And organizations that violate the rules will face fines of up to 4 percent of their global annual revenues or €20 million ($22.4 million) - whichever is greater.
"There's a huge focus on privacy as part of the regulations, and this will impact companies that are looking to develop new products and new services within the EU," Honan says. "They will have to make privacy impact assessments on new services and products that they're planning to develop. So privacy has to be built in from the very beginning."
In this audio interview with Information Security Media Group (see audio player below photograph), Honan details:
- How the GDPR builds on Europe's existing privacy and information-handling rules.
- The breach penalties facing organizations that violate the new privacy rules.
- How Europe's new mandatory breach notifications will reshape the region's information security perceptions.
- Why the new regulation could be a boon to law enforcement agencies battling cybercrime.
The message behind the GDPR is clear: Safeguard people's personal information, or else. "It's bringing this away from being an IT problem, to being a business problem," Honan says. "As part of your incident response you're going to need to have good legal and regulatory advice on how you make sure you comply with the regulations."
Honan is president of Dublin-based BH Consulting and the founder of Ireland's first computer emergency response team, IRISS-CERT. He's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.