Raft of new EU data privacy rules demand risk management response

The new rules are due to come into force via the EU-US Privacy Shield initiative, the General Data Protection Regulations (GDPR) and the National Information Security (NIS) Directive. The most recent of the three initiatives is the EU-US Privacy Shield. It was only agreed at the beginning of February. Under the current EU Data Protection Directive, transferring personal data from Europe to a country outside of the region is prohibited, unless a company can demonstrate that there are adequate safeguards in place. One way to achieve this was through Safe Harbour. However, the European Court of Justice, in its ruling on 6 October 2015, declared the old Safe Harbour framework invalid following a challenge. In its place comes the EU-US Privacy Shield. According to the EC, the EU-US Privacy Shield will put further obligations on companies in the US to protect the personal data of Europeans and allow stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.hideSpeaking at the Advisen cyber event, Bridget Treacy, partner, Hunton & Williams, said there has been real concern amongst companies over how to ensure that transfer of data that previously relied on Safe Harbour is now valid under European Data Protection Law. She noted that there are two main concerns from regulators about Privacy Shield. Firstly, indiscriminate access to data and the degree of access that US government agencies have to data. Secondly, there is concern about the rights of individuals to complain. She said no one has seen any documents yet, that the details still have to be figured out and the regulation has not yet taken effect. The second piece of legislation of concern for companies is the GDPR. Raluca Boroianu-Omura, manager, conduct regulation at the Association of British Insurers, told the conference that GDPR is a revolutionary step taken by the Commission to try to modernise the current EU data protection framework. "It is a technologically neutral regulation, applying across all sectors of industry-and it is a regulation not a directive so it is directly applicable in member states so there will be more harmonisation as a result," she said. "The headlines were the right to be forgotten and the right to withdraw consent which seemed to be revolutionising the framework, but in general it is more of an evolution of the current framework." The regulations were agreed in December 2015, but the text hasn't been published yet. Ms Boroianu-Omura said it will be adopted in April 2016 at the earliest and implemented in two years' time. The crux of it, she said, strengthens accountability and transparency and makes sure that companies understand that they are the custodians of data and that the data subject owns the data. Ms Treacy said there are a number of elements to the regulations, notably greater harmonisation and a tightening of obligations on companies that process and control data. Processors will direct liability under the legislation, she added. "What this all means is that companies will have to look very closely at how they collect information from individuals, what they tell people they are going to do with the data and [they must] be able to evidence what they are doing," she said. "There is also a strengthening of individual rights, together with regulators' powers being significantly increased, mandatory security breach notification and something closely akin to class actions. As a result, we are getting much closer to the US environment, and it is a much more volatile environment." The experts said that although the GDPR will not be implemented for another two years, companies need to start ensuring compliance now. The final piece of legislation on its way is the NIS Directive. Michael Bruemmer, vice president, data breach resolution group at Experian, explained that the NIS Directive intends to boost cyber security and enhance cooperation and sharing of information related specifically to cyber security. It also aims to ensure that sound management practices are in place, particularly in certain sectors such as energy, transport, banking and health. He said European firms should learn from the mistakes made in the US. "Don't wait for the big breaches or the shutdown of a major supplier or a power grid. In the US, it took these big breaches to make companies come together and act to protect consumers. It is not a question of if a large breach will happen, only when." Laurent Heslault, chief security strategist at Symantec, said the EU is sending a strong message. "Information is key, privacy is key, and cyber risks are higher than ever. These regulations should be seen as a catalyst for better cyber resilience for each and every enterprise. The level of cyber maturity, or cyber resilience, that we are seeing in companies and governments across Europe-let us say there is room for improvement," he said.

Raft of new EU data privacy rules demand risk management response

Want to read this article?

Read Next

‘Pressure rising’ on developing Asian aging risk: ADB

European business confidence in China plummets

International SOS warns of ‘burnout epidemic’

Strebel to replace Gonzalez as head of Swiss Re China

Risk managers want software providers to integrate more AI tools

‘Pressure rising’ on developing Asian aging risk: ADB

European business confidence in China plummets

International SOS warns of ‘burnout epidemic’

Strebel to replace Gonzalez as head of Swiss Re China

Risk managers want software providers to integrate more AI tools

Want to read this article?

Read Next

‘Pressure rising’ on developing Asian aging risk: ADB

European business confidence in China plummets

International SOS warns of ‘burnout epidemic’

Strebel to replace Gonzalez as head of Swiss Re China

Risk managers want software providers to integrate more AI tools

Related Articles