Where next with the General Data Protection Regulation?

Exactly when the GDPR will be finalised is still uncertain.  Using the annual Data Protection Day last Wednesday as a platform, the Council and European Commission issued a joint statement indicating that some progress was being made, but it appears that firm commitments to reaching a conclusion can only be promised by the end of 2015.

“We must conclude the ongoing negotiations on the data protection reform before the end of this year. By the 10th European Data Protection Day, we are confident that we will be able to say that the EU remains the global gold standard in the protection of personal data,” they said.

The latest version of the draft regulation was issued on 19 December 2014. In total, the current draft Regulation shows over 30 reservations have been entered by the Commission and over 500 reservations from member states.  These reservations highlight the challenges of providing a reliable time frame for reaching consensus.

In the current proposal, SMEs have been given some relief from some of the Regulation’s more onerous obligations.  Small and medium-sized companies will not need to appoint data protection officers, carry out privacy impact assessments or notify supervisory authorities about breaches.

Unsure what GDPR stands for

The Commission has stated that the benefits of rolling out a single, pan-European data protection law are estimated at €2.3 billion per year. Despite this benefit, a recent survey has found that half of IT staff in England, Germany and France weren’t sure what the acronym GDPR stood for.

Furthermore, the study shows that data protection compliance, originally intended to be driven at board level, has been relegated to IT staff in 62% of the cases, followed by legal department (36%) and external consultants (34%).

IT Governance recently conducted an analysis of the most common causes of data breaches reported and handled by the ICO.  The report found that poor information security was the single biggest reason for monetary penalties.

The research reveals that enforcement notices were issued by the ICO for both massive and extensively damaging cyber security breaches, as well as simpler but no less significant contraventions – such as faxes that were sent to the wrong recipients.

A recurring theme was not applying well-known information security measures, such as when the protocol of asset disposal was ignored, contract terms with third-party providers were insufficient, encryption of devices was absent, or penetration testing was not conducted frequently.