This has been a momentous year for data protection and information security regulation in Europe, with two landmark pieces of legislation taking effect. Together they represent a major shift in the European industry's approach to privacy and security compliance.
The long-awaited General Data Protection Regulation (GDPR) came into force in the European Union (EU) on May 25, 2018, attracting a huge amount of attention and prompting a flurry of email messages to customers on historic marketing lists.
Now organizations that process personal data are regulated not only if they are established in the EU, but if they target goods or services at, or monitor the behavior of, individuals in the EU—regardless of where they are located. Service providers that process personal data for others become directly regulated, while individuals' rights to manage their data have been enhanced. And the new sanctions regime has given regulators real teeth, with the ability to levy fines up to the greater of €20 million or 4% of total worldwide annual turnover.
Many view Europe's approach to data privacy and cyber security as setting a global gold standard.
Shortly before the GDPR took effect, the deadline for EU member states to implement the Network and Information Security Directive (NISD) passed much more quietly. Often viewed as the GDPR's 'younger sibling,' the NISD has proven a less eye-catching piece of legislation although it too threatens hefty penalties for breach.
Whereas the GDPR focuses on protecting individuals' rights to privacy, the NISD originates in national security concerns. It aims to raise levels of cyber security in specific sectors that represent 'critical national infrastructure,' such as energy, transport, health and water, as well as among suppliers of essential digital services.
The GDPR has pushed data privacy compliance up the corporate agenda for the long term. Organizations must understand and document the personal data they use in far greater detail than before. Shortly before the compliance deadline, the International Association of Privacy Professionals and Ernst and Young estimated that large British firms had spent $1.1 billion on GDPR preparations, while U.S.-based companies had invested $7.8 billion.
According to research into GDPR readiness costs among FTSE100 companies carried out by management consultants Sia Partners, banks were the biggest spenders at over £60 million on average. Next came the energy, commodities and utilities, retail goods, and technology and telecommunications sectors, with an average implementation expenditure of approximately £15–£19 million per company. And ongoing obligations under the GDPR will create a lasting increase in compliance costs across sectors.
Compliance also plays a major role under the NISD. The regulatory burden represents a greater shock to the system for industries that have not previously been required to prioritize cyber security or incident reporting. Organizations are also spreading the NISD compliance burden along their supply chains into sectors that are not directly regulated. One beneficiary of the increase in compliance risk is the insurance sector, and both the NISD and GDPR will continue stimulating the cyber insurance industry.
The GDPR in particular has had a noticeable effect on improving individuals' awareness of, and assertiveness in exercising, their data privacy rights. Organizations that hold large volumes of customer data have received rising numbers of data subject access requests, which can be costly to comply with.
Greater consumer awareness is also evident in increasing levels of interaction with regulators. In the first few months after the GDPR came into effect, the French regulator reported a 64% increase in complaints from individuals, which in its view showed that EU citizens had warmly embraced the regulation.
Alongside the introduction of the GDPR and NISD, the European Commission has emphasized that building a European data economy is a key part of its 'digital single market' strategy.
But there is a natural tension between the desire to protect data privacy, boost cyber security, and promote a burgeoning European economy based on free-flowing data. It remains to be seen whether a data-driven economy can continue to flourish once the new regulations really start to bite.
In this more hostile environment, businesses and regulators will need to work hard to avoid a situation where Europe becomes a less attractive region to test and roll out new products. Balancing the free flow of data with respect for privacy and security concerns will be essential to the success of a dynamic, connected European economy.
There is a natural tension between the desire to protect data privacy, boost cyber security, and promote a burgeoning European economy.
On the other hand, many view Europe's approach to data privacy and cyber security as setting a global gold standard. Numerous countries still have no coherent data protection laws in place at all. Only a select few—Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the U.S. (only under the Privacy Shield framework)—have data protection laws that reach the required threshold to be considered adequate by the EU. China is moving toward stringent data protection standards but still has a patchwork of regulation in place.
There are also signs that U.S. consumers look longingly at the protections available in the EU. According to a survey conducted in April 2018 by Janrain, the customer profile and identity management software provider, 68% of respondents wanted a GDPR-like law in the U.S. Some 38% identified their top priority as the ability to control how their data is used, while 39% focused on the right to require organizations to delete their data.
The U.K. Information Commissioner's Office (ICO) issued its first formal GDPR notice in July 2018. This required data analytics firm AggregateIQ to stop processing data relating to U.K. individuals that it held through its work for the 'Leave' campaign in the EU membership referendum, and that it continued to process in breach of the GDPR. Following an appeal, the ICO narrowed its enforcement notice and no fine has been issued.
One of the first GDPR fines was issued by the Portuguese regulator against the Centro Hospitalar Barreiro Montijo in July 2018. A fine of €400,000 was levied against the hospital for two GDPR breaches relating to unauthorized access to patients' data and inadequate data security—still a relatively modest amount in contrast to the maximum available. In January 2019, the French regulator raised the stakes by issuing a record €50m fine against Google, due to insufficient transparency, inadequate information, and a lack of valid consent in relation to personalized advertisements.
The full impact of the GDPR and NISD will therefore become clearer as regulators flex their muscles and issue more large-scale fines. Although we have not yet witnessed the predicted rush of group litigation, an uptick in data protection-related class actions is also likely.
The GDPR and the NISD are still in their relative infancy, but they will be with us for a long time to come. Generating trust will be the key to success in this increasingly connected world. Organizations must show they take cyber security and data privacy concerns sufficiently seriously to win consumers' confidence. Doing this while also providing market-leading services will enable Europe's data-driven economy to succeed in the years to come.
Copyright held by author/owner. Publication rights licensed to ACM.
Request permission to publish from [email protected]
The Digital Library is published by the Association for Computing Machinery. Copyright © 2019 ACM, Inc.
No entries found