The reason behind the flurry of update emails is that, on May 25th, the EU’s General Data Protection Regulation, or GDPR, comes into force. It is being billed as the largest overhaul of data law in 20 years.
The new regulation promises to strengthen data protection for EU residents and protect them against data breaches. It will apply to all businesses and organizations, including those located in Canada, who offer goods and services in the EU. Also captured are any organizations who monitor the behaviour of EU residents, or who are processing their personal data.
To comply with the GDPR, organizations must protect information about a user’s identity (name, address), health, biometrics, race or ethnicity, sexual orientation, political opinions and financial information. GDPR also gives consumers greater control over web data identifiers such as their location, IP addresses and cookie data. The GDPR considers organizations to be data controllers, who are accountable for any personal data collected, even if the databases are located outside the EU.
Mishandling of that data can result in fines as high as 4% of a company's annual revenue or up to 20 million euros, even if operations are not based in the EU.
Here are some other highlights:
- The GDPR includes new requirements under Article 33 to report serious breaches of personal data. That doesn’t mean that all breaches must be reported; only those that are likely to result in a risk to people’s rights and freedoms. (e.g. financial loss, damage to reputation, loss of confidentiality, etc.)
- Under GDPR Guidelines, an assessment of that risk should take into account a number of criteria, namely the type of breach, the sensitivity of the data and its volume, as well as the severity of the consequences for individuals, the number and characteristics of affected individuals, and how easy it is to identify individuals
- An organization must report any personal data breach affecting people’s rights and freedoms to the supervisory authority, where feasible, no later than 72 hours after the organization has become aware of it. Failing that, reasons for the delay must be given. The Guidelines offer a list of exceptions: for data that was breached but already publicly available; for properly encrypted data; where there is only a very temporary loss of access to personal data; and where personal data was accidentally sent to third parties that can be trusted because of their relationship with the data controller organization to comply with instructions.
- Notification must describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; it must include contact details of the data protection officer for more information; and it must describe the likely consequences of the personal data breach, as well as any measures taken or proposed to be taken by the controller to address the breach, including, mitigation measures.
For now, it isn’t entirely clear what enforcement will look like, and there are media reports indicating that many national regulators still lack the necessary resources to effectively enforce it. Even so, the 72-hour mandatory notification window, while not absolute, is likely to complicate matters for companies rather sooner than later. As with new Canadian breach notification requirements coming into force in November, GDPR compliance will require careful planning and review of every organization’s privacy and breach policies as well as best practices.