The first EU Data Protection Directive was written in 1995, now the updated law is under discussion. This will be a stronger Data Protection Regulation, updated to take into account technology changes in the last 20 years, with the plan being to finish the regulation this year and implement in 2017.
There’s a lot to say about the regulation and we’ve published an eBook written jointly with Anthony Lee, a well-known data protection lawyer and partner at DMH Stallard, to help you learn the most important areas, especially where it affects the usage of cloud services and data stored in the cloud. As with any Directive, the current draft could change, however we can see the direction of travel, and here are a few key headlines from the current draft that security and compliance teams should take notice of:
- The Regulation will be implemented in all 28 countries simultaneously.
- There’s a heavier compliance burden on data controllers (owners of the content).
- Data processors (such as cloud providers) are also responsible for data protection.
- This affects anyone, globally, who may have data on EU citizens and residents.
- There are tougher sanctions – possibly fines as high as 5% of global revenue.
- Users can claim compensation for data loss (including class action lawsuits).
- Rules around transferring data on EU citizens outside the EU are being tightened.
- Rights for users to see the data collected about them and being harmonized.
- Users can demand that their data be erased.
- There are greater obligations to inform users of their rights to opt-out and for data controllers to document user’s approval.
- Data loss must be informed to the authorities within 72 hours.
The regulation also recognises how technology can help keep data safe and states that if data has been tokenized or “pseudonymized” it is presumed to meet an individual’s reasonable expectations of data privacy. This is great news for enterprises, as it allows organizations to encrypt or tokenize data before uploading to the cloud, and, assuming that they keep the encryption keys on their own premise, data loss is not such a disaster.
This period, when the regulation is drafted but not yet in effect, is the ideal time for IT, Security, and Compliance teams to review the new requirements and put into place processes that will enable compliance. These are the key steps to take today:
- Assume all data about an individual (including information such as work email addresses) are personal and covered by the new regulation.
- Review your data handling processes, including uploading to cloud services and handing data to 3rd parties. Consider demanding the right to inspect the handling processes of these 3rd parties.
- Encrypt or tokenize sensitive data before it leaves your premises, keeping the keys yourself.
- Get legal advice on the full impact of the regulation.
- Check the country where all cloud providers are based and the country where the data resides.
- Define your process when a user demands erasure of their data.
- Ensure senior management realizes the potential magnitude of the fines.
- Define the cloud services you trust and want to use, train users and enforce appropriately.
… and, of course, feel free to ask Skyhigh for help and further advice.