Ahead of this morning’s data protection workshop, Xavier de Jabrun, deputy director insurance and risk management at Thales, reviews the new rules

Law

New EU data protection laws will change companies’ obligations when it comes to personal data and companies are urged to prepare for the changes now.

On 15 December 2015, the European Union agreed on new EU-wide data protection rules, referred to as the EU General Data Protection Regulation (GDPR), which was originally derived from EU Data Protection Directive in 1995 (95/46/EC).

An update of the 1995 law was deemed necessary because of recent advancement in technology. The Internet, cloud, and Big Data – all of which generate massive amounts of personal data – for example, were just a few of the factors that forced the EU to reconsider its existing approach to its data security law.

The new rules include:

  • notifying authorities and consumers of when there has been a data breach;
  • categorising the types of data collected by controllers, recording the recipients for whom the data is disclosed, and specifying an indication of the time limits before the personal data is erased;
  • conducting data protection impact assessments (DPIAs) before the controller initiates new services or products involving the data subject’s health, economic situation, location, and personal preferences—and more specifically data related to race, sex life, and infectious diseases; and
  • complying with rules on the right to be forgotten.

Other changes to the law include nullifying the Safe Harbor scheme, a 15-year-old agreement that had underpinned how US companies handle personal data of their European customers. Under this agreement, personal data could be exported to the US and transferred to a US company that is a member of the so-called “safe harbor” scheme. But in October 2015, the European Court of Justice ruled it is no longer safe to host data in the US.

The new rules call for “dynamic risk assessment,” said Xavier de Jabrun, deputy director insurance and risk management at global major electronic systems company Thales, and the moderator for a workshop on the new regulation.

He said businesses can better account for the new rules by making them part of their risk assessments: “In our risk map, we need to include the risk of a potential data protection failure, which could be a breach in compliance and thus, our duty to notify [the appropriate authorities of such a breach].

“But [a breach] could also have other consequences, such as losing customers because they no longer trust you.”

Companies have been given until spring 2018 to comply with the rules or could risk facing sanctions. Some companies are ahead of the curve, having made the necessary changes to ensure they are compliant, said Jabrun. “However, [compliant businesses] may demand prospective partners to also adhere to the new rules before agreeing to do business with them. So even before receiving a penalty by regulators, those who are not compliant may get a ‘sanction’ from potential clients.”