New EU Cybersecurity Regulations On The Way: Thing To Know Now

New EU Cybersecurity Regulations On The Way: Thing To Know Now
July 14 09:53 2015 Print This Article

New EU Cybersecurity Regulations On The Way: Things To Know Now

 

By Stephen H. Jett on July 14, 2015

Posted in Cyber Security

Since the first draft comprehensive regulation to govern cybersecurity in the European Union (“EU”) was issued by the European Commission in January 201, the European Commission, the European Council, and the European Parliament have been working together to update and supersede the existing EU Directive (95/46/EC) in order to bring it up to date and in line with recent sweeping advances in technology and technological globalization.  (EU Privacy Regulations:  Who Will Own Your Data Now?, Corporate Counsel, July 8, 2015, Frances McLeod)  On June 11, 2015, the European Council issued its own Proposal for a European General Data Protection Regulation (“GPDR”) for review and consideration (click here).

The objective of the European Commission, the European Council, and the European Parliament is to issue a final proposed comprehensive regulation for the EU by the end of 2015, with final approval and adoption thereof to occur by the Spring of 2016.  (European Council approves EU General Data Protection Regulation draft; final approval may come by end of  2015, Data Protection Report, June 15, 2015, Marcus Evans; European Union data protection reform:  What should businesses be doing now to get ready?, Data Protection Report, Kimberly Gold)  When this new comprehensive regulation is adopted by the EU, not only will EU Directive (95/46/EC) be superseded and replaced, but also sweeping changes will be implemented relative to companies with operations in the EU or doing business in the EU.

Now is the time for companies to start readying themselves for these significant forthcoming regulations.  (As of this writing, the U.S. Congress has not yet adopted a comprehensive and pre-emptive law regulating cybersecurity in the U.S., thus leaving U.S. companies to be cognizant of at least 47 separate and differing state notification laws.)

Some highlights of the proposed EU GPDR include:

  • Applicability to EU citizens’ personal data (even if such data is processed outside of the EU);
  • Explicit informed consent required to be given by data subjects to any entity that processes or analyses personal data, with the ability to easily withdraw such consent (this could be particularly onerous and expensive to implement in connection with the entity’s employees);
  • Right to compensation for monetary damages in the event that unlawful data processing occurs;
  • Imposition of fines as high as 1 million Euros, or two percent of a company’s “total worldwide annual turnover of the preceding financial year” (in particular cases), for non-compliance;
  • Mandatory risk assessments and in-house data protection officers for larger companies; and
  • In the context of cloud-based systems, direct accountability and reporting requirements for every person or entity that is part of the cloud “supply chain”.

(Privacy Regulations:  Who Will Own Your Data Now?, Corporate Counsel, supra)

The obvious implications of these, and other, potentially forthcoming EU regulations is that companies without a data protection policy need to obtain a data risk assessment now, and those with existing data protection policies should revaluate such policies immediately.  (Id.)

The original article and image was posted  here: http://www.privacyanddatasecurityinsight.com/2015/07/new-eu-cybersecurity-regulations-on-the-way-things-to-know-now/

view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment

0 Comments

No Comments Yet!

You can be the one to start a conversation.

Add a Comment

Your data will be safe! Your e-mail address will not be published. Also other data will not be shared with third person.
All fields are required.