In December 2015, the EU Commission reached an agreement on two key data protection regulations – the General Data Protection Regulation (GDPR) and theNetwork and Information Security Directive (NISD). The GDPR and the NISD are complimentary initiatives with the shared goal of modernizing and harmonizing data protection frameworks across the EU. The GDPR will give EU citizens stronger rights, empowering them with better control of their data and ensuring that their privacy remains protected in the digital age. The NISD is complementary to the GDPR, aimed at the protection of IT systems in critical national infrastructure for the EU. Here is a quick comparison of the two regulations from a data protection perspective.
|Penalties||Maximum penalties for data breaches are now 4% of global revenue or 20M Euro, whichever is higher||Penalties and fines yet to be clearly defined|
|· Data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach
· Regulation will apply to companies headquartered outside of Europe as long as they have operations in Europe
· Data Transfers to third countries and international organizations may only be carried out in fullcompliance with this Regulation
· Requires Data Protection Officer
|· Requires operators of essential services in the energy, transport, banking and healthcare sectors, and providers of critical digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities
· Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks
|Primary Goals||· Regulation to achieve a general EU framework for data protection
· Directive on protecting personal data processed for prevention, detection, investigation or prosecution of criminal offenses and related judicial activities
|· Improve cyber security capabilities in the Member States
· Improve Member States’ cooperation on cyber security
· Directive concerning measures to ensure a standard high level of network and information security across the EU
|Effective Date||May 25, 2018||21 months from publication of NISD in the Official Journal (yet to be published)|
|Organizations Impacted||· Data controllers and data processors
· Essentially any organization with “Personal Data.”
|· Operators of essential services in the energy, transport, banking and healthcare sectors
· Providers of critical digital services like search engines and cloud computing
The table above is a limited comparison of the two regulations and does not cover the full text of the rules. However, GDPR is certainly ahead of NISD since the effective date of enforcement is set in stone and hefty fines and penalties are clearly spelled out. In today’s connected world, every organization deals with data so the GDPR will impact more organizations than the NISD. Like most regulations, the GDPR will have text that covers many initiatives. Therefore, it is paramount to apply the directives in the context of your business. Every organization should first parse the changes to data breach notification laws given its broad applicability. Other changes, such as the “right to be forgotten,” primarily impact firms that process personal data and make it available online. A word to the wise: if you think a US headquarters will give your company a free pass from the GDPR, it is time for you to consult your legal department, especially if you have any operational presence in the EU. The key takeaway here is that the GDPR has major implications for most firms, so get started on an action plan soon to avoid paying the hefty fines for non-compliance.
Thousands of customers have already deployed Imperva SecureSphere solutions for data security primarily to meet regulatory compliance needs. Consider implementing Imperva SecureSphere for data, the industry leading data audit and protection solution to meet the GDPR requirements ahead of time.
For more information on the GDPR, please refer to this excellent FAQ from our partners atCordery Compliance.