The Reformed EU Data Protec2on Laws: Understanding the Data Protec2on Requirements and How to Comply

Transcription

1 The Reformed EU Data Protec2on Laws: Understanding the Data Protec2on Requirements and How to Comply

2 Introduc?on Like the majority of states in the U.S., many countries in the European Union (EU) have implemented their own data protec?on legisla?on to reflect the new reality of the dissolving network perimeter. As with the differences between US states, the European data protec?on regula?ons now s?ll vary from country to country. There has not been a significant overhaul of EU data protec?on regula?ons in some?me. This, paired with the need to address the major technological developments since 1995, is driving the need to modernize and homogenize the EU Data Protec?on regula?ons. For the last three years the EU has been working on new Data Protec?on Regula?on reform proposals that will set a Union- wide framework to replace the exis?ng patchwork of country- specific legisla?on. It is intended to strengthen the privacy rights of EU ci?zens, restore confidence in online ac?vi?es and berer protect customer data by requiring companies to adopt new data protec?on processes and controls. #MSPAlliance #MSPWorld

3 Background On 25 January 2012, the Commission proposed a comprehensive reform of the EU s 1995 data protec?on rules to strengthen online data protec?on rights and boost Europe s digital economy (see IP/12/46). The Commission s proposals update and modernize the principles enshrined in the 1995 Data Protec?on Direc?ve, bringing them into the digital age and building on the high level of data protec?on which has been in place in Europe since For the moment, the proposals consist of 91 ar?cles. Like any piece of legisla?on, the pending Data Protec?on Regula?on reform can be confusing. My goal with this session is not to educate you on the whole of the law but instead to focus on how to prepare as well as the need to protect the security of personal data, which falls under the most severe set of proposed fines. To learn more about the reform itself, please visit the resources listed in the appendix of this presenta?on.

4 The main building blocks of the EU's data protec2on reform Pillar one: One con2nent one law The European Parliament agrees that the new data protec?on law for the private and public sector should be a Regula?on, and no longer a Direc?ve. Pillar Two: Non- European companies will have to s2ck to European data protec2on law if they operate on the European market For a strong European digital industry to compete globally we need a level- playing field. This is at the heart of the proposed EU data protec?on Regula?on. Non- European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protec?on of personal data. The reasoning is simple: if companies outside Europe want to take advantage of the European market with more than 500 million poten?al customers, then they have to play by the European rules. The European Parliament confirmed this important principle.

5 The main building blocks of the EU's data protec2on reform Pillar Three: The Right to be ForgoJen/ The Right to Erasure The right to be forgoren builds on already exis?ng rules to berer cope with data protec?on risks online. It is the individual who should be in the best posi?on to protect the privacy of their data by choosing whether or not to provide it. It is therefore important to empower EU ci?zens, par?cularly teenagers, to be in control of their own iden?ty online. If an individual no longer wants his or her personal data to be processed or stored by a data controller, and if there is no legi?mate reason for keeping it, the data should be removed from their system. Pillar Four: A "One- stop- shop" for businesses and ci2zens The European Parliament gave its support to the Commission's proposal to have a "one- stop- shop" for companies that operate in several EU countries and for consumers who want to complain against a company established in a country other than their own.

6 Adop2on Process for the Proposal to Become Law The proposal was vote and confirmed by the European Parliament in plenary session on 12 March 2014, with an overwhelming majority of 621 votes in favor, 10 against and 22 absten?ons. There will s?ll be delays and uncertain?es, BUT the amount of legisla?ve work already invested and the near- unanimous vote in favor of this text across all na?onali?es and poli?cal ideologies are indica?ons that this proposal is here to stay and that the momentum will con?nue.

7 What will the data protec2on reform do for economic growth? The European Commission's data protec?on reform will help the digital single market realize this poten?al, notably through three main innova2ons: One con2nent, one law: The Regula?on will establish a single, pan- European law for data protec?on, replacing the current inconsistent patchwork of na?onal laws. Companies will deal with one law, not 28. The benefits are es?mated at 2.3 billion per year. One- stop- shop: The Regula?on will establish a 'one- stop- shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU. The same rules for all companies regardless of their establishment: Today European companies have to adhere to stricter standards than their compe?tors established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. European regulators will be equipped with strong powers to enforce this: data protec?on authori?es will be able to fine companies who do not comply with EU rules with up to 5% of their global annual turnover. European companies with strong procedures for protec?ng personal data will have a compe??ve advantage on a global scale at a?me when the issue is becoming increasingly sensi?ve.

8 What will the data protec2on reform do for ci2zens? (1) There is a clear need to close the growing rii between individuals and the companies that process their data: Nine out of ten Europeans (92%) say they are concerned about mobile apps collec?ng their data without their consent. Seven Europeans out of ten are concerned about the poten?al use that companies may make of the informa?on disclosed. Source: Flash Eurobarometer 359: A6tudes on Data Protec;on and Electronic Iden;ty in the European Union, June 2014

9 What will the data protec2on reform do for ci2zens? (2) The data protec?on reform will strengthen ci?zens' rights and thereby help restore trust. BeRer data protec?on rules mean you can be more confident about how your personal data is treated, par?cularly online. The new rules will put ci?zens back in control of their data, notably through: A right to be forgojen: When you no longer want your data to be processed and there are no legi?mate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restric?ng freedom of the press. Easier access to your own data: A right to data portability will make it easier for you to transfer your personal data between service providers. PuXng you in control: When your consent is required to process your data, you must be asked to give it explicitly. It cannot be assumed. Saying nothing is not the same thing as saying yes. Businesses and organiza?ons will also need to inform you without undue delay about data breaches that could adversely affect you. Data protec2on first, not an azerthought: Privacy by design and privacy by default will also become essen?al principles in EU data protec?on rules this means that data protec?on safeguards should be built into products and services from the earliest stage of development, and that privacy- friendly default selngs should be the norm for example on social networks

10 What does the reform do for SMEs? The data protec?on reform is geared towards s?mula?ng economic growth by culng costs and red tape for European business, especially for small and medium enterprises (SMEs). First, by having one rule instead of 28 the EU's data protec?on reform will help SMEs break into new markets. Second, the Commission has proposed to exempt small and medium enterprises (SMEs) from several provisions of the Data Protec?on Regula?on whereas today's 1995 Data Protec?on Direc?ve applies to all European companies, regardless of their size. Under the new rules, SMEs will benefit from four reduc?ons in red tape: Data Protec2on Officers: SMEs are exempt from the obliga?on to appoint a data protec?on officer insofar as data processing is not their core business ac?vity. No more no2fica2ons: No?fica?ons to supervisory authori?es are a formality and red tape that represents a cost for business of 130 million euro every year. The reform will scrap these en?rely. Every penny counts: Where requests to access data are excessive or repe??ve, SMEs will be able to charge a fee for providing access. Impact Assessments: SMEs will have no obliga?on to carry out an impact assessment unless there is a specific risk.

11 Who is Impacted by the New Reform? The status of the EU Data Protec?on Regula?on Reform proposals should be of global interest, as it impacts any company doing business with European ci?zens regardless of where the company is based. This is very similar to many US data protec?on laws. For example, a company based in France doing business with American customers in California must comply with California s data protec?on law. If that same company also does business with customers in MassachuseRs, then it must also comply with MassachuseRs data protec?on law, and so on. Some of the benefits of the EU Data Protec?on Regula?on Reform will be: One EU market, one law European and non- European companies no longer need to research and know the details of 28 different rules and regula?ons. Unified process The same process will be followed in case of breaches and/ or viola?ons. Same rules applies to all companies Regardless of where the companies are based, the same rule set will apply when doing business within the EU.

12 Viola?ons of the EU Data Protec?on Regula?on Reform If a company fails to do any of these things adopt internal policies and implement appropriate measures for ensuring and demonstra?ng compliance, or no?fy the supervisory authority or the data subject of a personal data breach, where appropriate then the Ar2cle 79 on Administra?ve sanc?ons s?pulates that the supervisory authority can impose at least one of the following sanc?ons: a warning in wri;ng in the case of first and/or non- inten;onal non- compliance regular periodic data protec;on audits a fine up to EUR 100,000,000 or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher.

13 How to Comply with the New Legisla2on? For the many companies that must comply with the suggested Data Protec?on Regula?on reform legisla?on, the best way to prepare is to implement a solid data protec?on strategy and process that should include encryp2on in order to be most efficient. The proposed legisla?on does not require a specific type of technical control. However, best prac?ce would be to implement state of the art technical controls to render personal data unintelligible to unauthorized users. Thus, it is best to look at how organiza?ons achieve compliance with other regula?ons that seek to protect personal data. The Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes- Oxley (SOX) and of course the Unified Cer?fica?on Standard (UCS) are a few examples of regula?ons that require data protec?on controls similar to those in the EU Data Protec?on Regula?on reform proposals. Because it renders data unintelligible, encryp?on is widely accepted as an adequate means of addressing these requirements. If encrypted data becomes lost or stolen, it is essen?ally worthless. No one can access the actual data. And that s the crux of data protec?on laws and regula?ons. BoJom line: If you want to be ready for the Data Protec2on Regula2on reform, you should start looking at encryp2on technologies AND more importantly get a cer2fica2on such as the UCS.

14 For more informa2on Press pack: data protec?on reform: hrp://ec.europa.eu/jus?ce/newsroom/data- protec?on/news/120125_en.htm European Commission data protec?on: hrp://ec.europa.eu/jus?ce/data- protec?on/ index_en.htm European Parliament report on the Data Protec?on Regula?on: hrp:// 2009_2014/documents/libe/pr/ 922/922387/922387en.pdf Homepage of Vice- President Viviane Reding, EU Jus?ce Commissioner: hrp://ec.europa.eu/commission_ /reding/

15 Nicolas Geudens Nicolas Geudens began his career in various business development management posi?ons; he then established together with his father his own company to provide management consultancy services. In 2008, he founded Hes?a, Belgium's market leader for infrastructure managed services; he is currently Managing Partner. Mr. Geudens looks aier Hes?a's management and strategic guidance; with his team, he strives for the highest level of quality and service in managed services for his customers. In 2012 he was appointed to the Advisory Board of the MSPAlliance, the Interna?onal Associa?on of Managed Service Providers. In this func?on, his personal goal is to ensure that both managed service providers and customers respect the UCS cer?fica?on by making the managed services and cloud compu?ng profession as transparent as possible. Mr. Geudens obtained his master's degree in commercial sciences with a specializa?on in IT management and marke?ng at the University of Antwerp (Belgium); he followed this with several advanced courses that further broadened his business management skills. Contact: Nicolas.geudens@hes?a- it.be