in BRIEF: in December 2015 the Council and the European Parliament reached an agreement on the draft regulation. April the 8th 2016, the Council adopted its position at first reading. The draft regulation was adopted by the European Parliament 14th of April 2016. It will thus have a legal effect at the beginning of 2018. All companies throughout the world are affected, if they want to store, transport or process personal data about European citizens.
The EU COMMISSION’S INTENTION: the draft regulation updates and modernizes the principles of the data protection directive from 1995 by providing individuals rights and obligations upon those who process data and/or responsible for data processing. It also establishes which methods are safe and that the rules are in compliance, and furthermore the scope of sanctions against those who violate the rules.
What is COVERED: personal data as under the previous law, now with the addition of personal genetic data (for example, DNA) and biometric data (such as fingerprints). In addition, it introduces the concept “pseudonymous data”, which is a way to handle personal data, where the data and associated information that helps to identify the people behind the data, are kept separate.
Who is COVERED: All EU citizens and especially for children: the consent of children’s personal data be regulated separately from adult’s regulation, children under the age of 13 are not able to give consent to the processing of personal data in connection with online services such as f.eks. games, children portals and for instance. App-stores, etc. In addition, there will be introduced a requirement that there be carried out so-called “Privacy Impact Assessments” in a number of situations where the processing of personal data may involve special risks for the individual.
24-72 HOUR OBLIGATION: under which notification of serious data breaches must be made within 72 hours to the national surveillance data. Both companies and authorities should in future ensure that personal data protection rules are complied with, as well as documenting that this is done by means of internal procedures and privacy policies which also referred to Privacy By Design and Privacy by Default.
All companies, traders, providers and intermediaries must comply with Data Protection and this privacy regulation reform
These new data requirements for all can be an expensive if personal data protection are not complied with. Innovation Support A/S and VERIO ® provides consultants who can certify enterprises via VERIO ® FAST TRACK certification scheme as established review of how the data files that contain personal data effectively protected in relation to law. Also Innovation Support A/S can provide and extensive analysis of the value of the security systems as we have around 120 IT Engineers, who online with or hopefully not without logins can scan your networks and make diagrams according to the regulation and for the client as a whole, to point out weak or outdated security, encryption, LAN/WAN/SAN systems, login systems and remote access. It is the data collector who in the future is entirely responsible. And that responsibility is now placed at the source, and the national Data Protections agencies is in the future the ones you have to call within 24 hours after a data breach is discovered.
The real legislation must be complied with by any company and institutions and deals with these facts;
- To be paid 4 percent of revenue or 20 million euros in fines IF personal data protection be overridden
- This new already adopted regulation on citizens ‘ digital protection will apply to the whole of the European Union throughout the EU legislation applies to both authorities, citizens and businesses who keep personal data
- Privacy Regulation/Legislation is ALREADY adopted in the EUROPEAN UNION and shall enter into force on the 2018
- It may take up to 1 year to implement new technology, why it may be too late to start on the changes in 2017
EU intention in this overall privacy regulation is:
- to all citizens and/or users MUST provide specified consent to what data and how similar data can be used to give citizens and/or users a better digital protection against abuse
- also “recycling” of personal information for purposes which are not apparent from consent creating a well-defined legal legislation which can be awarded to any fines at the beginning of 2018, which do not comply with the guidelines.
- make it easier for businesses because there will only be one set of rules for the entire EU.
Consumer transparency can be a nightmare for data security
From now on will be applicable to see Regulation personal data from the EU Commission to any type of registered users may require to see the data that companies have collected. This can be difficult to comply with and we predict that the regulation in its entirety will come under enormous pressure, because it most likely will not be possible for thousands of companies to show what data they have about each user.
Also, it will not be possible to display all user data without these, of course, is easier accessible via security holes, and more. This may mean that the regulation, which aims to protect citizens, contrary intention, instead, have the power to even more data break-ins, exposes more personal data than before the regulation was introduced.
Only this, due to the fact, that companies must find a way to meet the requirements, so that the data collected can be displayed via the Internet. The databases it coming to be created must be protected extremely well, in order to oppose the hacking.
At the same time, it is such that it is commonly known that data from various types of industries will be known and therefore obvious hacker targets even before the regulation is legally binding for all EU businesses.
The purpose of creating peace of mind can be turned into anxiety
We therefore believe that the European Union’s intention to create peace of mind can be a threat of abuse for the part of the citizens of the European Union. Already there are major problems with data security, because any phone is open to interception of conversations, sms, apps, passwords and the like in accordance with the unveiling of the program “60 Minutes.”
Because of this, consumers will be reluctant to buy/register and submit information on the Internet.
Unfortunately, this will hurt the whole EU competitiveness is our assessment. The EU Commission has the meaning. The present intentions of the vision that the regulation will create: new digital marketplaces as umbrella portals for peace of mind and protection of user information.
For this I think that legislation is pierced by convergence based Applications APPS, Plugins and uses terms that means that users are reluctant to give its consent to why there so consequently will be fewer who use APPS, Software, Portals and facilities on the Internet which can provide social savings and at the same time support the growth of the digital services.
This has significance for the billion turnover as the whole market for APPS and Digital services. Free applications such as Google and payment-based Apps such as games, services and even Open Source Software and general license based software will probably be able to notice a slowdown. That is our estimates and same outcome we will see coming from many other risk advisory firms and business analysts.
A jungle of consents and contracts can scare users
Privacy regulation provides a fundamental right for users of the Internet. But huge requirements for businesses and organisations to adopt it policies for data security, and as part of the regulation, the European Commission called for a user system with an unambiguous consent.
Privacy regulation already adopted now, requires that companies or organisations must be 100% sure that the user has given a consent on both collection and use of delivered personal data.
- How it can be administered in practice the EU Commission says nothing about
- How safety could be guaranteed, achieved or complained EU Commission says nothing about
- VERIO ® Privacy By Design and Privacy by Default fast track certification in personal data can certify legal regulation that personal data of the regulation conditions are adhered to.
Many Service Providers, banks, APP developers, Cloud Services, software systems and user licenses must also be made by the supplier. But who is going to pay a fine if it still is not clear if ex. Microsoft reseller provides delivers a service to a customer. Is it the retailer or the manufacturer. This we expect to be clarified about those kind of issues after the summer.
Ease of use by operating the computers, phones, ipads and Pcs can be set back for decades or get a worse position than at the beginning of the 90s is our fear.
We recommend you first of all, to contact one of our consultants, we will then send free recording sheets. At those sheets there will be the data which is a subject to the legislation, which includes:
- what data is used for
- which user statements associated with
- how data is used by the company or government and by whom, where, when and why
- risk analysis of storage, operation, servers, mirrors, backup and integration, it can be HR video, research results, statistics on user habits e.t.c.
- Online it has to be possible for the user to use LOGIN systems internal and external systems so that any data that is registered can be deleted and modified.
- Specify the new consents on the basis of the listed. Data can be on multiple servers in multiple departments and internally/externally.
- Clear legistation between US/EU according to the ongoing negotiation betwen those parties
- VERIO PLAN for implementing the processes and control measures to ensure against the risk that violates the regulation
There is only one alternative to this EU privacy regulation
If companies and organizations completely stops to collect users ‘ information, they will not be covered by the EU Commission’s privacy regulation. But this can lead to:
- a worse user experience that requires far more time at each site, software or APP.
- Daily retyping of simple simple information such as email address, language, and credit card codes, etc.
- Other information is such a thing as statistics, procurement statistics, lists of all kinds, preferred information and personal preferences to be reentered from time to time
It is now ALL must respond if you want to avoid fines for next year. Many think, that it’s too short time for bigger organisations, but it is now active within the laws which we all have to follow.
The EU Privacy regulation covers producers, dealers, NGO organisations, retailers, shops, advisers, provision based sellers, intermediaries and any publishing company, shop or services on the Internet.
Privacy regulation will clearly and indisputably gives more costs to all parties, also companies outside the EU if they inteend to continue to deliver goods to the EU
New user declarations, consents and conditions will result in costs to agile development and Service Design will cost billions of dollars.
We guess about 150 billion euro in costs which go to agile development, Service Design and management of new user statements, new Service Design interfaces where the user data must be transported from service to service or domain to domain or company to company. Brand new Service Designs acceptance routines and administration of these, and there is even suggestion that consent is limited in time, so that the user periodically must reiterate its acceptance.
There may be many more issues as there are no compliance to say WHO is using your computer, when there are family’s computers or multiple users or multiple users at your company’s address. One or more users can therefore give conflicting permissions as in practice may mean a user policy per login.
Privacy regulation requires a responsible Data Officer
An innovation in this regulation is that the requirement for the appointment of a data protection officer (DPO) in the businesses that handle large volumes of customer or citizen data. All public companies must have a DPO.
The DPO can be employed in the enterprise or external consultant. Decisive is the fact that the DPO shall be able to operate independently of the company’s interests and shall refer both to the company’s executive management team and also be the contact person for customers and partners, as well as each National Data Protection Agency, who is responsible for the control of the regulation.
It will also be up to the DPO to keep track of whether the company complies with the provisions on personal data protection and to ensure that the employees who are in contact with these, are trained in handling and correct security in doing so is effectively active.
Service Design with “privacy by design” and “Privacy by Default”
The Commission is also working with the concept of ‘privacy by design’, which means that personal data protection must be fundamentally embedded in any system architecture and design.
A similar concept is ‘privacy by default ‘, which means that personal data may only be stored as long as it is relevant to the application.
It means that IT systems can not only accumulate personal information for future use, but must delete these, when they are collected for, is over. No data must be available for BI (Business Intelligence software) and other log/event/behavior analysis software.
Compliance with the basic privacy rules could prove to be extremely costly for small and medium-sized enterprises, who can be asked to demonstrate how privacy rules are complied with throughout the system development in any part of the organozation in any country. The requirements can be complicated by the frequent use of subcontractors to handle both data and parts of the system development.
Companies can also, however, see an opportunity to live up to new requirements and through a certification from the EUROPEAN UNION could show consumers that there is a handle on it with personal data, and that users data is in safe hands.
The lawfulness of the processing of personal data must be documented. Any failures to do so, will have economic consequences for both the industry and the government.