A New European Union regulation meant to ensure stronger privacy protection for its citizens will come into force in one year and Israeli firms need to start preparing now for the changes that will impact their business practices, experts warn.
“Israeli companies must make sure they have taken steps to comply with these new rules that will kick in a year from now,” said Ella Tevet, a partner at Tel Aviv-based GKH Law Offices, who is in charge of the firm’s IP and privacy practice. “The process will take time and is not simple, so now is the time to start preparing for these changes, otherwise the firms may find themselves the subject of millions of euros in fines.”
The aim of the new rules, enshrined in the General Data Protection Regulation (GDPR), which were adopted by the EU in April 2016 and will go into force on May 25, 2018, is to strengthen and protect individual fundamental rights in data protection. The regulation was designed to put people back in control of their personal data by allowing them greater rights, including the right to access the data and the right to delete it.
In addition, organizations will not be able to simply collect data without good reason, and they must also prove that they are doing their utmost to protect the data they have collected.
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or even a computer’s IP address.
This data is often transferred and exchanged across companies and nations globally, with citizens often not having control over their data and knowledge regarding their rights. As the world becomes more digitalized and the use of internet, social media and online transactions mount, websites are increasingly using information about users’ online activity — what they buy, eat and where they travel.
The new EU rules will affect all organizations — whether in Israel or globally — that store or process personal data of European citizens. It doesn’t matter in which country the organization is based, said Ido Naor, a senior security researcher at cybersecurity firm Kaspersky Lab.
Kaspersky conducted a survey in April and found that some 20 percent of IT decision makers across Europe, with companies of 50 or more employees, still have little or no awareness of the GDPR. There was no separate data about Israeli firms in the reserch.
“We estimate that as soon as it kicks in, many organizations will go through a process of preparing their business to be in GDPR compliance, meaning they will change the way they store data, to prevent an event of being forced to delete it,” Naor said.
Companies that won’t align with the new rules can be fined up to 20 million euros ($22.5 million) or 4% of global annual turnover for the preceding financial year, whichever is greater.
The rules could apply to banks with branches in European cities and which gather information on their clients or to suppliers of taxi services targeting European citizens. And because it is not clear yet to whom exactly these rules may apply, as the “applicability” of the rules is still “subject to interpretation,” companies must make sure they have processes in order not to be caught off guard and in contravention of the rules, said she.
The right to be forgotten
The rules also give subjects the “right to be forgotten” — which entitles people to ask for their data to be deleted if there are no legitimate grounds for retaining it. In the case of data breaches, such as a cyberattack, companies that have data of consumers must notify the national supervisory authority as soon as possible, the new rules say.
Data controllers need to make sure they have technical and organizational measures in place to protect the rights of data subjects and the rules require controllers to hold and process only the data absolutely necessary for the completion of its duties as well as limiting the access to the personal data to only those people who need to access it.
Tevet recommends Israeli firms start preparing now, ahead of the deadline. They should undertake a study of their data inventory to find out what personal and sensitive information they collect, how it is processed, where it is stored, how it is protected and who may have access to it.
If necessary companies should appoint a data protection officer to be in charge of the matter and they should set out all the legal grounds for the processing of data, as required by the regulations. They should also set out clear company policies and if applicable, revise the company’s security policies to ensure the correct measures are in place.
Both Tevet and Naor are unsure about how the EU will enforce the new rules, but the specter of the high fines should be enough to bring the companies to comply, Naor said.
“Enforcement may be a problem,” said Tevet. “But we don’t know. So companies must make sure to find out if the rules apply to them and if so, then they will want to reduce their exposure. They have one year to prepare for this.”
The new European rules may also prompt Israel to tighten its own privacy rules to align them with the new European norms, Tevet said.