The existing EU data protection regime is built around the Data Protection Directive 1995 (the 1995 Directive) and the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive). With a new EU Data Protection law said to be on-track for next year, organizations need to start thinking now about how they will manage and conform to the expected changes.
Looking first at the existing regulations – here’s what’s required today.
The existing 1995 Directive sets the overarching framework for data protection in the EU and sets out certain core principles concerning the processing of personal data. Under the existing directive there is a specific requirement under Article 17 for Member States to implement “appropriate technical and organisational measures” to protect personal data against accidental loss or unauthorised disclosure, and to ensure those measures maintain “a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”. This is already a clear obligation to deploy encryption technologies to sufficiently obfuscate any personal data at risk of compromise, and you would only expect the requirements for demonstrable security measures to grow in line with the increasing stringency expected from the new law due sometime next year.
The companion ePrivacy Directive applies specifically to service providers, such as telecommunications companies and ISPs, requiring them to “ensure that personal data can be accessed only by authorised personnel for legally authorised purposes” and must “protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure”. There is also a mandate that service providers must notify affected individuals of personal data breaches, without undue delay – and the equivalent of a safe harbour provision if the data is “unintelligible” to any third party (i.e. encrypted or tokenized).
Now for what appears to be coming next year.
The new European data protection law, is expected to update and strengthen the Data Protection Directive 1995. Among other changes, the new law is expected to:
- Increase maximum fines for breached businesses from 2% to 5% of the company's global annual turnover
- Expanding the need to inform individuals if their data has been lost or stolen beyond service providers
- And increase responsibility and accountability for organizations that process personal data with risk assessments, possible audits and design principles
With so many data breaches reported from day to day, just one of these major changes (the increase from 2% to 5% of global annual turnover as a maximum penalty), is clearly going to become a very real and very severe operational risk for organisations that hold personal data to which the regulations apply. Added to this risk will be new costs to inform individuals in the event of a breach. US requirements around this have greatly increased the costs of a breach to US organizations since they went into effect starting with California’s SB1386 law passed in 2002. This law has used as a model for similar legislation by all but a handful of US State governments. For a typical large data breach with hundreds of thousands to millions of records lost, it increases costs by millions of dollars.
To be really effective, however, provisions around auditing and compliance are a necessity. At Vormetric, we’ve seen compliance as a primary driver for organizations to get started with protecting data. It “short circuits” the internal discussion around “It can’t happen here” by setting meaningful enforcement standards that have to be met in order to do business.
Of course, legal requirements aside, best practices will inevitably exceed compliance requirements. Laws and regulations change slowly, and attack methods and hacks quickly, leading to a need for organizations to keep current to offset evolving threats. Keep in mind that retailer Target who had a record data breach last year had just passed a PCI DSS compliance audit. By some counts, 110 million personal records were stolen. Laws and industry regulations that provide a basic standard for data security are to be welcomed, but businesses should think of them as just that – the bare minimum.
As an organization using personal data you won’t have a choice about becoming compliant, but you can put in place proactive, best practices that can help to keep your organization safe, and reduce the enhanced risks of a data breach that appear to be on the way for global and European-based organizations next year.
If you’re interested in finding out about how encryption can help you meet and exceed your compliance requirements, Vormetric, alongside legal firm FieldFisher, has created this whitepaper which investigates the legal obligations for encryption of personal data in the United States, Europe, Asia and Australia.