Tougher sanctions and streamlined incident reporting
This is the big one. In case there was any doubt about how serious the regulators are taking the data breach issue, sanctions have been made much, much tougher. Fines may be as high as 100m or 5 percent of global revenue (whichever is higher), in stark contrast to what we currently have in the UK, which is a maximum fine of £500,000.
Currently, different countries have different rules on data loss reporting for both the regulator and users. The regulation is intended to streamline the process, most likely so that regulators must be informed in 72 hours - unless, as per the 'reasonable expectations' requirement (explained shortly), data was encrypted or tokenised.
Arguably, something is missing from this new rule, namely how much time organisations have to inform users. TalkTalk, for instance, recently suffered a data breach and informed regulators within the required 72hrs (the UK rule). However, users were not informed until several months later, in which time hackers had used stolen contact information to phone/email TalkTalk customers, pretending to be from the company in an attempt to steal money. TalkTalk should have moved faster to inform its customers of the data breach.
Encryption and tokenisation can come to your rescue
It's not all bad news, there's a piece in the regulation saying that controllers must meet individuals' "reasonable expectations" of data privacy. This is an interesting term as the regulations stipulate that tokenised, encrypted or pseudo-anonomised data does indeed meet these expectations. This is great news, as it allows organisations to encrypt or tokenise data before uploading to the cloud. Assuming that companies keep the encryption keys on their own premise, firstly data loss is much less likely and, if it does happen, they can show the regulators that they took steps to "meet the individuals reasonable expectations of data privacy".
This period, when the regulation is drafted but not yet in effect, is the ideal time for IT, security, and compliance teams to review the new requirements, seek legal guidance and put into place processes that will enable compliance. There are many other changes aside from these ten and a new eBook written jointly with Anthony Lee, a well-known data protection lawyer and partner at DMH Stallard, provides additional details on the most important areas, especially where it affects the usage of cloud services and data stored in the cloud.
Sign up for CIO Asia eNewsletters.