If you live in the UK or anywhere else in the European Union for that matter, you’ve likely been following the new EU data regulations reform movement which is expected to establish a consolidated data protection policy framework for all 28 member states.
In case you’re unfamiliar with the legal proceedings or if you’re looking for more details, we’ve provided background information on the current data regulation legislative standard and outlined what the unified proposal entails. It can be easy to miss the big picture when combing through paragraphs of legal jargon, but hopefully this summary will help pinpoint the key implications and explain how you can proactively respond!
The Current State of EU Data Protection Regulation is outlined below.
The EU Data Protection Directive
As of right now, Europe is subject to the EU Data Protection Directive (Directive 95/46/EC), established by the European Union to safeguard the privacy and integrity of all personal data processed, used, or exchanged between EU citizens. In accordance with Article 8 of the European Convention on Human Rights (ECHR), the Directive is intended to protect “the rights of privacy in personal and family life, as well as in the home and in personal correspondence.”
The EU Directive includes the following seven principles:
[easy-tweet tweet=”The EU Directive: Notice – those whose personal #data is being collected should receive notice” user=”followcontinuum”]
[easy-tweet tweet=”The EU Directive: Purpose – the collected #data should be used only for the purpose(s) provided” user=”followcontinuum”]
[easy-tweet tweet=”The EU Directive: Consent – disclosure of personal #data with third parties may only be permitted if data subject consents” user=”followcontinuum”]
[easy-tweet tweet=”The EU Directive: Security – personal #data that’s collected should be kept secure from potential abuses” user=”followcontinuum”]
[easy-tweet tweet=”The EU Directive: Access – #data subjects may access their data and correct any inaccuracies” user=”followcontinuum”]
[easy-tweet tweet=”The EU Directive: Accountability – #data subjects will be able to hold data collectors accountable” user=”followcontinuum”]
- Notice – those whose personal data is being collected should receive notice
- Purpose – the collected data should be used only for the purpose(s) provided
- Consent – disclosure or sharing of personal data with third parties may only be permitted if data subject consents
- Security – personal data that’s collected should be kept secure from potential abuses
- Disclosure – those whose personal data is collected should be notified as to who is receiving it
- Access – data subjects may access their data and correct any inaccuracies
- Accountability – data subjects will be able to hold data collectors accountable for abiding by these seven principles
Under this standard, each EU member state manages data protection regulations and their enforcement within its jurisdiction. Data controllers are the ones who obtain the personal data from citizens in their country, data subjects, and are held to the seven principles as listed above. Additionally, each member state must form a supervisory authority in charge of monitoring data protection and launching legal proceedings when data regulations are violated. Adding to its decentralized nature, the Directive must be implemented by each member state and written into their own data protection legislation.
Up until recently this fragmented approach sufficed…
New Digital Union Framework Agreed Upon
According to CompTIA’s 10th Annual Information Security Trends study, 55% of respondents claimed the increased interconnectivity of devices, systems, and users were among top factors impacting security practices. Now with this rise in interconnectedness and the proliferation of social networks and cloud computing, European data regulations are being revisited and have been in a continuous process of reevaluation by the European Commission since January of 2012. Recently, however, there’s been a breakthrough! After universal agreement among the justice ministers of each state, what was once the EU Data Protection Directive will eventually become the General Data Protection Regulation (GDPR). The EU’s European Council projects its adoption in either this year or the next, with a two year period before going into effect. Once this happens, because it will be a Regulation and not a Directive, all 28 countries of the European Union will be immediately subject to the legislation.
what was once the EU Data Protection Directive will become the General Data Protection Regulation (GDPR)
So what does this mean? With one data protection framework, one “single digital union,” binding all of the member states of the EU, privacy regulations and European citizens’ data will be managed throughout the entire territory, rather than in the individual countries.
[quote_box_center]
In response to this agreement, Director General of the European Consumer Organisation Monique Goyens gave the following comment:
“EU laws are now lagging behind the pace of technologies and business practices. Our personal data is collected, then used and transferred in ways which most consumers are oblivious to. An appropriate update must put control of personal data back in the hands of European consumers. This new regulation is the opportunity to close gaps, ensure robust standards and stipulate that EU laws apply to all businesses operating here.”
[/quote_box_center]
As of September 2015:
As of right now, the GDPR is still in draft-mode and will likely be for the next few months as the European Parliament, Council, and Commission negotiate a finished version. As stated originally, the law won’t become enforceable for another two years. That doesn’t mean service providers should remain idle though. Successfully implementing the new compliance and data protection standards will take time. Efforts should be made to begin planning today! Read on for suggested areas for review.
With the new European Data Protection Regulation, businesses will need to obtain consent from those whose personal data they want to track
There are a few new changes you should account for with this uniform regulation. Under the new standard, for instance, Computer Weekly reports that “all data that identifies an individual, whether directly or indirectly, will now be personal data.” This increase in the amount of data that will need regulating (though perhaps not with the same degree of scrutiny) includes pseudonyms and IP addresses. Because of this, many more businesses will be affected, especially those that rely on customer profiling to build marketing and selling strategies around personal or behavioural data. With the new European Data Protection Regulation, these businesses will need to obtain consent from those whose personal data they want to track. How readily do you think these SMBs will provide this?
Customer data rights isn’t the only consideration that still needs to be fleshed out. After a brief summer hiatus, the parties reconvened on September 1st, to continue discussing the implications of the GDPR. Not everyone is on board with a single digital standard, however. On the same day, the Russian Data Localization Law went into effect. As a result, all personal data gathered from those in Russia must now be stored within the country’s borders, establishing a precedent of data sovereignty in the midst of a more unified data regulation movement.
Impact for Service Providers Serving the EU
Such a significant change in legislation could mean MSPs all throughout the EU will be forced to adhere to tougher data protection laws. How then should you respond to these latest updates? Computer Weekly has released a comprehensive guide outlining key components of the unified data regulation framework, those ISACA suggests IT service providers pay attention to.
1. Accountability
Review and update your privacy policies, procedures, and documentation since data protection authorities can ask for these at any time. One way to evaluate your policies is by performing a data protection impact assessment.
2. Governance Group and Data Protection Officers
Assemble an internal policy governance group to monitor all activities. If your organization has more than 250 employees or if you regularly and systematically monitor data subjects, you’ll be required to elect an independent Data Protection Officer (DPO) to oversee and report on data management processes.
3. Explicit Consent
This stipulation requires data subjects to freely agree to the processing of their personal data and data controllers to prove consent. Subjects can opt out of direct marketing data usage.
4. Right to be Forgotten
Under this regulation, data subjects can mandate removal of their personal data and refuse further distribution by the data controller.
5. Outside Parties
Data controllers outside of the EU who process data of those within the EU will need to appoint a representative within the territory.
6. Data Breach Notification
Data controllers will have to report any personal data breach to the data protection authority immediately and within 24 hours upon learning of the breach. If longer than this, they must provide the reason. Data controllers might also need to alert data subjects who’ve been affected in special cases.
7. Sanctions
Data protection authorities will have the power to fine up to 2% of annual global turnover for violations.
8. One Lead Supervisory Authority
The data protection authority in the EU member state in which a multi-jurisdictional data controller has its main establishment will monitor data processing of the data controller across all states.
9. The Cloud
Cloud providers, referred to as data processors, will also be held responsible if there’s a breach due to their own improper planning, policies, and procedures.
While further implications of this new single digital union will continue to surface, MSPs can take action now to strengthen organizational protocol. Assess all of your internal processes and develop strategies around data classification, retention, collection, removal, storage and search. Track your efforts and frequently report on them and above all, train your employees to comply with the new policies and procedures you enact.
Paul Balkwell,