Companies operating in the EU should take security very seriously in order to comply with the General Data Protection Regulation, according to Paul Nemitz, the director for fundamental rights at the European Commission's justice directorate.
Speaking at the Free and Safe in Cyberspace conference in Brussels recently, Nemitz said companies should pay close attention to the GDPR's brief but important mentions of privacy by design and security as mitigating factors when calculating potential fines for violations.
He said this development, together with the existing "material law obligation to keep personal data secure," should boost investments in security.
"If a processor or controller has invested in privacy by design, and these can be security investments, then this can lead to a deduction of fines in case there are elements nevertheless of noncompliance," said Nemitz, the man who back in 2011 announced that the commission was working on the regulation.
"I would think for those who carry responsibility for data security and data protection in the companies, this is an interesting argument when it comes to the question, 'How much we are going to invest in data security?'"
Nemitz noted that, inevitably, EU courts will have to decide precisely what the GDPR means when it calls for companies to provide necessary levels of security. "This will have to eventually be interpreted by judges, but before it is interpreted by judges it has to be interpreted by the data protection authorities and before that by the processors and controllers," he said.
"Do not assume that this law is interpreted by the DPAs and later on judges as meaningless because it is just one sentence. It is likely that this law is interpreted as meaning state of the art [security]."
Indeed, Article 32 of the Regulation, with which companies will need to comply from May 2018 at the latest, calls for "a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing."
Article 83, which discusses the conditions for imposing administrative fines, says authorities must pay due regard to "the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to Articles 25 and 32." Article 25 is the one that explicitly calls for what the GDPR refers to as "data protection by design."
"'You must ensure the security of data' means tomorrow something else than it means today," said Nemitz. "The meaning of the sentence moves with the state of threat…This is the beauty of a law that is short and technology-neutral and will be relevant for 20-30 years…No processor or controller can wiggle its way out of this by saying, 'We tried our best but unfortunately we didn’t realise 90 percent of the market does something that is more effective.'"
However, Nemitz was also keen to note that up-to-date security mechanisms should provide a competitive advantage for companies when trying to win customers.
"What we observe on the markets is that privacy and security sells," he said. "You do not only have these rewards in the law, but you have these rewards in the market."
Nemitz cited a study released on Thursday by German technology trade association Bitkom, which suggested that a third of companies in the country saw the new data protection rules as a business opportunity. "It differentiates competitors form Europe positively from competitors from anywhere in the world," he said.
The official also claimed that large companies have been actively seeking out startups to helps them comply with the GDPR.
"I'm not a market researcher, but I can tell you that there are very big players, big corporations, who come to us and say, 'Can you tell us about small companies in which we should be interested, which are developing privacy and security models which maybe we could incorporate in our business models?' That's increasing," Nemitz said.
Asked whether the European Commission itself was leading by example, in procuring privacy-friendly data processing services, Nemitz suggested the Commission's internal rules "will be updated in light of the regulation."
"I don't know the buying practices of the commission in detail, but I know in recent years more than before, in the buying practices for cloud services and so on, people have looked into where does the data go," he said. "I would think the Commission behaves like the better half of the market."
Nemitz will be speaking at the IAPP's Europe Data Protection Congress 2016 in November about preparing for both the GDPR and for the new U.S.-EU Privacy Shield, in which he was also a key player.