The General Data Protection Act (GDPR) will take effect on May 25, 2018, replacing the current Data Protection Directive 95/46 in the European Union. This will introduce a number of new requirements regarding data control for organizations to manage. Similarly, across the pond, New York State’s Cybersecurity Requirements (23 NYCRR 500) for Financial Service companies came into effect on 1st March, 2017.
It has been widely considered that both regulations will introduce numerous new, complicated requirements and procedures and technologies that are not in place today (in fact, many reports have indicated that, in the case of the GDPR, there will be a complete overhaul of the data protection laws that are in place today). This has caused a lot of panic and confusion globally amongst organizations worldwide.
However, a closer examination of the regulations shows that this is not entirely true. Whilst new technologies, processes and procedures have been introduced, a number of the requirements in both regulations are not new per se but either: (a) already exist either in current data protection laws in place or; (b) are common features of best practice in data security in general. This article will focus on some of those new requirements that have been introduced and consider why the deployment of encryption to protect data is now essential.
So what is ‘new’?
- Privacy by design – encryption
The GDPR requires organizations to:
“implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data”.
NYCRR 500 requires organizations to:
“As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest”
Both regulations expressly refer to encryption as an example of an appropriate measure to meet compliance. This has a huge impact on an organization’s deployment of information technology and security. In other words, privacy must be a key consideration in an organization’s design of its I.T. architecture, with the ability to encrypt data in motion being a fundamental component of such design.
2. Name and Shame
Both regulations have introduced notification requirements in the event that a data breach occurs. In the case of the GDPR, a notification must be made to the appropriate supervisory authority within 72 hours of becoming aware of a breach (Article 33). NYCRR 500 adopts the same timescale – a notification must be made to the superintendent within 72 hours of awareness (Section 500.17).
The GDPR takes this a step further – if a breach is likely to result in ‘a high risk to the rights and freedoms’ (for example, economic loss, reputational damage etc) of those individuals effected, then the organization must notify the data subject as well. This could lead to significant reputational damage to an organization. However, a ‘Get-Out-of-Jail-Free’ card exists: Article 34 (2) provides that organization can avoid having to make this disclosure in the event of a breach “if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption”.
Encryption is not only expressly referenced in both regulations as an example of an appropriate technology to deploy, but it also helps to mitigate the damage caused to an organization in the event that a breach occurs.
3. Global Reach and Application
The scope of both regulations is not limited to just the European Community in the case of the GDPR or the State of New York with regards to 23 NYCRR 500. The GDPR is applicable to any company worldwide that processes personal data of European Citizens when offering them goods and services (Art.3 (2) (a)).
NYCRR 500 has implications for organizations, regardless of location, that want to conduct business with financial institutions incorporated in New York.
This is because Section 500.15 requires organizations to:
“implement written policies and procedures designed to ensure the security of information systems and Nonpublic information that are accessible to or held by third party service provide” (this should include details of the third party’s policies relating to the use of encryption for data in motion and at rest).
In essence, a number of third parties that are not directly impacted directly by the regulations (because they are not located in New York and/or are not a financial institution) will have to make use of encryption in its communications with New York financial institutions.
4. Penalties for Non-Compliance
The maximum fine for non-compliance with the provisions of the GDPR is 20,000,000 EUR or up to 4 % of an organization’s annual worldwide turnover. This is a significant increase from the fines set out in the Data Protection Directive. NYCRR 500 does not specify what the financial penalties for non-compliance will be. However, on an annual basis, organizations have to submit a compliance certificate to the superintendent certifying compliance with the regulations. This means that individuals within an establishment will have ownership and accountability for compliance, which will drive proactive behavior to ensure obligations are met. Compliancy will no longer be something that organizations can hide away from or risk ignoring.
‘Big Data’ and ‘Cloud Computing’ are no longer industry buzz words – they are a reality in today’s market. In response to this, legal and regulatory requirements governing data protection have evolved – they are now more complex and technology driven. Deployment of appropriate I.T. systems is now a key component of these requirements. This means that the use of encryption for data in motion is now essential and unavoidable.
There has been a tendency for organizations to ignore encryption in the past. This has mainly been a result of its complicated and challenging nature and lengthy timeframes to implement. However, these challenges must now be overcome.
Simon Hill, Legal Counsel
Further information on these topics is available at: