The European Union (EU) issued its first directive on data protection in 1995. This has been implemented in the 28 countries of the Union with local laws. Each country’s interpretation has been slightly different and the subsequent regulatory mechanism and enforcement have differed.
Now, in 2015, after at least three years of negotiations, a new regulation has been published, expected to be approved by the EU parliament in early 2016, called the European General Data Protection Regulation (GDPR). This has updated the regulations based on the last 20 years of experience and will become law in all 28 countries in early 2018. The regulation clearly defines personal data, provides a common regulation across 28 countries, and has been updated to take into account the complexities of data handling and cloud computing.
But this isn’t only a law for organisations based in the EU. Any organisation that has data on EU citizens is subject to the law, if you have a web site and someone comes to it from the EU and enters their contact details, you have data on an EU citizen. So you could claim it’s a law with global impact, and all organizations need to review their processes, policies, procedures, data handling, and technology to ensure that they comply.
A simple knee-jerk reaction is to say that all regulation is a nuisance, declaring that it puts a burden on business, but in fact the regulation puts in writing the policies that all organizations should already be aiming for already. The many data loss incidents over the last few years and the rising concerns of consumers show that it is necessary to ensure the issue is taken seriously.
The law is 204 pages long and deserves a comprehensive review, but here are the 9 primary measures and actions needed:
1. Fines are increased to “up to 4% of global turnover”.
This is intended to get boardroom attention and ensure that betraying data privacy and protection is a treated as a significant risk to the business. Its expected that fines will scale along with the amount of data lost. In the last few years fines in the EU have been rising and those organisations without appropriate policies and investments in technology and procedures have been fined the most.
2. Mandatory disclosure of data loss incidents
If an organisation loses data, it has 72 hours to inform the local regulator. At that point, information on the circumstances of the breach and the technical measures that were in place to safeguard the data must be given to the regulator. The individuals whose data has been lost must also be informed “promptly”. The potential resulting bad publicity should also make companies take care of the data in their care.
3. Data processors are jointly liable with data controllers.
In the past, only data controllers (usually the organisations who gathered the data) were responsible for loss. Now, it is a joint responsibility with the data processor, so if you are a cloud service provider or outsourcer of data, if you process data on behalf of someone else and that includes data on EU citizens, you are also liable.
4. Any data that identifies an individual is personal data
Previously, some countries had their own interpretation of what constituted personal data, but this has been set out more clearly in the new regulation so all 28 countries will have a consistent definition of personal data.
5. An individual has the right to access their data and deletion
Organisations need to consider how they comply with this requirement.
6. Pseudonomysation and encryption are encouraged
The law specifically encourages data controllers and processors to implement technologies such as encryption to safeguard data. There are many forms of encryption available and different methods of implementation (such as where to hold the keys), that should be considered.
7. Clarification on ways to transfer data outside the EU
The new regulation specifically states that data may be transferred using standard data protection clauses adopted by the commission. This should help clear up the confusion caused after the recent EU Court of Justice ruling on the US Safe harbor scheme.
8. Senior management need to take data protection seriously
With the higher fines and wider remit, senior management need to understand that the starting gun has been fired on enhanced data protection regulations. Now is the time to put together a cross-functional team to ensure that you conform to the regulation.
9. IT has to take the lead
Anyone with personal data (and remember, every employer has personal data on their employees) needs to look into the data they hold, how they hold it, where it is stored, and the policies, procedures, and technology used to keep it secure. And, don’t forget all the 3rd party organisations that may have access to this data – you can outsource the data processing and you can even send data outside the EU (by legal methods), but you are still responsible for any subsequent data loss.
If data is being transferred outside the EU, for example to non-EU cloud service providers, consider options such as encrypting the data before transfer or using an EU-based service provider.
As most data loss is caused inadvertently by employee actions, organisations need to train employees on data handling techniques.
With this regulation, we will have consistent data protection regulations in all 28 countries of the European Union. It is being used as a basis in many other countries, such as the UAE, and is a major revision and improvement over the previous laws. It reminds us that data handling and potential data loss is a major issue of business and needs to be taken very seriously at all levels, and by all organisations.