Minimum fines of €20m / 4% of annual turnover (whichever is higher) await telcos, as the EU Parliament passes punitive new “GDPR” data protection legislation (Strasbourg, 14.04.16)

The EU Parliament has passed its long-awaited GDPR legislation, first proposed in 2012.

Since releasing its draft form last December, observers have keenly awaited confirmation of the most interesting outstanding item to be agreed – namely the nature and extent of fines awaiting organisations found to be in breach. Initial draft legislation by the EU Commission originally proposed fines of up to 1% of annual turnover. However in its approved version, this figure has leapt to 4%, presenting a significant financial risk to “data controller” organisations (such as telcos), and “data processors” (such as the 3rd party IT partners that support them).

Fines will be up to 4%, or €20m – whichever is greater.

MEP Jan Philipp Albrecht, the European Parliament’s chief negotiator for the GDPR, said : “Firms breaching EU data protection rules could be fined as much as 4% of annual turnover – for global internet companies in particular, this could amount to billions”.

GDPR will provide a single, EU-wide regulation which over-rides the existing individual Data Protection laws of EU member states. In passing the legislation, the EU Parliament has also confirmed a timeline for adoption : organisations must be fully compliant with the regulation no later than May 2018.

For many organisations, Data Protection has tended to be a relatively minor compliance consideration, with little more than lip-service being paid to existing regulations. Described by a leading analyst as a “paradigm change in the way that data collection and use are regulated”, and backed by major fines, GDPR is set to change this.

Managed file transfer and GDPR compliance

The correct management of data, in terms of its movement, its processing, how it is shared, and its storage and retrieval, are critical for minimising the risk of an accidental breach of GDPR.

Accountability will become a critical component, with companies being called to account at the request of inspectors to demonstrate that appropriate data processing, sharing, movement, retrieval and storage processes are in place.

This sounds straightforward, but many organisations rely on ad hoc / in-house technical scripts to manage the movement and storage of datasets. Often these scripts are created in isolation to support an individual requirement. Over time, layers of script build up into a disjointed design. It is still comparatively unusual for an organisation’s IT department to employ a single cohesive system or process for the management of data transfers, and the internal ownership may be similarly fragmented across different teams. Such an approach may now become painfully exposed in a number of areas:

  • Telcos may be using an unreliable or ineffective process. It may fail to deliver a dataset from A to B. It may send data to the wrong place. It may stop working and nobody even notices. The consequences of those failures now bring the threat of fines into play.
  • Telcos may be using a process which functions adequately day-to-day, yet still fails to meet the governance requirements set out by GDPR. Can data security, and the right level of controls be clearly demonstrated? Are there safeguards in place to quickly highlight breaches, or risks of breach to the overall process? Is there an error management tool or system to identify and manage unexpected outages in the movement of files? Can an audit trail of what happened when be shown? Can it meet SOX?

The clock is ticking. Talk to iCONX today, to discuss how iCONX MFT can meet your GDPR compliance needs.