MMC CYBER HANDBOOK 2016

thesp0nge

2f1WZOG

MMC CYBER HANDBOOK 2016

STRATEGY

We now have a new data protection law in

Europe. It has taken more than four years

from the publication of the first draft of the

regulation in January 2012, but after some painstaking

work by European Union (EU) bodies that had to

consider an unprecedented 4,000-plus comments and

submissions by national supervisory authorities and

other stakeholders, it has now been made law.

On May 4, 2016, the General Data Protection

Regulation (GDPR) was published in the Official Journal

of the European Union, and then entered into force

20 days after publication. However, there is a two-year

implementation period before EU member states

must be fully compliant with the regulations. (See

Exhibit 1.) This implementation period allows both EU

member states’ supervisory authorities and the entities

that will be subject to the GDPR time to prepare their

organizations for the changes in practice that the GDPR

will require.

For those organizations that have not been

following the path of this regulation too closely, the

sooner you assess the implications of the regulation for

your business and implement the required changes,

the better. Complying with the regulation will require

many organizations to implement a complex privacy

management system as an integral part of their

information and cybersecurity management system.

In addition, key provisions of the GDPR will affect the

exposure profile of captured entities, and organizations

should review and update their transfer and risk

financing strategy. The penalties for noncompliance

can be severe, and it is therefore important that

compliance be demonstrated well in advance of the

end of the implementation period.

WHY DO WE NEED A NEW

REGULATION?

The obvious response to this question is to point to the

significant evolution in technology that has changed

the way in which data is collected and used since the

EU Data Protection Directive 95/46/EC (Directive)

(implemented in the UK by the Data Protection Act

1998) was adopted in 1995. To provide some context,

1995 was the year that Amazon was launched, but still

predates Facebook and Google.

The GDPR text acknowledges that the dramatic

increase in data collection and sharing enabled by

technological developments means that both public

and private entities are able to make use of personal

THE NEW REGULATION WILL HAVE

A BROADER TERRITORIAL SCOPE,

APPLYING TO NON-EU COMPANIES

TARGETING THE EU MARKET

data on an unprecedented scale. The impetus for the

European Commission’s proposals to update and

modernize the Directive was twofold: first, to empower

individuals by guaranteeing the right to the protection

of personal data that was recognized by Article 8 (1)

of the Charter of Fundamental Rights of the European

Union and Article 16 (1) of the Treaty on the Functioning

of the European Union; and secondly, to help build trust

in the online environment, which plays a central role in

the wider plans to create a Digital Single Market (DSM).

WHO DOES THE REGULATION

APPLY TO?

The new regulation will have a broader territorial scope,

applying to non-EU companies targeting the EU market

by either offering goods or services or monitoring their

behavior. Thus, the regulation will not only apply to

companies that are established and/or process data in

the EU, it will also apply directly “to the processing of

personal data of data subjects who are in the Union by

a controller or processor not established in the Union,

where the processing activities are related to: (a) the

offering of goods or services, irrespective of whether

a payment of the data subject is required, to such data

subjects in the Union; or (b) the monitoring of their

behavior as far as their behavior takes place within

the Union.”

It is important to understand where your

“main establishment” is considered to be under

the regulation, as this will govern which member

state’s supervisory authority will take the role of lead

supervisory authority in the event of any complaint

and any associated enforcement action. The “main

establishment” is not necessarily the corporate HQ, as

the regulation defines this to be “where the decisions

on the purposes and means of the processing of

personal data are taken.”

For data processors, the change is even starker, as

they are now captured directly by this new regulation.

Rather than having their duties defined solely under a

Copyright © 2016 Marsh & McLennan Companies

18

More magazines by this user
Similar magazines