The Current State of EU Data Protection Regulation is outlined below.
1) The EU Data Protection Directive
As of right now, Europe is subject to the EU Data Protection Directive (Directive 95/46/EC), established by the European Union to safeguard the privacy and integrity of all personal data processed, used, or exchanged between EU citizens. In accordance with Article 8 of the European Convention on Human Rights (ECHR), the Directive is intended to protect “the rights of privacy in personal and family life, as well as in the home and in personal correspondence.”
The EU Directive includes the following seven principles:
- Notice – those whose personal data is being collected should receive notice
- Purpose – the collected data should be used only for the purpose(s) provided
- Consent – disclosure or sharing of personal data with third parties may only be permitted if data subject consents
- Security – personal data that’s collected should be kept secure from potential abuses
- Disclosure – those whose personal data is collected should be notified as to who is receiving it
- Access – data subjects may access their data and correct any inaccuracies
- Accountability – data subjects will be able to hold data collectors accountable for abiding by these seven principles
Under this standard, each EU member state manages data protection regulations and their enforcement within its jurisdiction. Data controllers are the ones who obtain the personal data from citizens in their country, data subjects, and are held to the seven principles as listed above. Additionally, each member state must form a supervisory authority in charge of monitoring data protection and launching legal proceedings when data regulations are violated. Adding to its decentralized nature, the Directive must be implemented by each member state and written into their own data protection legislation.
Up until recently this fragmented approach sufficed…
WHAT WAS ONCE THE EU DATA PROTECTION DIRECTIVE WILL BECOME THE GENERAL DATA PROTECTION REGULATION (GDPR)
So what does this mean? With one data protection framework, one “single digital union,” binding all of the member states of the EU, privacy regulations and European citizens’ data will be managed throughout the entire territory, rather than in the individual countries.
In response to this agreement, Director General of the European Consumer Organisation Monique Goyens gave the following comment:
“EU laws are now lagging behind the pace of technologies and business practices. Our personal data is collected, then used and transferred in ways which most consumers are oblivious to. An appropriate update must put control of personal data back in the hands of European consumers. This new regulation is the opportunity to close gaps, ensure robust standards and stipulate that EU laws apply to all businesses operating here.”
2) As of September 2015:
As of right now, the GDPR is still in draft-mode and will likely be for the next few months as the European Parliament, Council, and Commission negotiate a finished version. As stated originally, the law won’t become enforceable for another two years. That doesn’t mean service providers should remain idle though. Successfully implementing the new compliance and data protection standards will take time. Efforts should be made to begin planning today! Read on for suggested areas for review.
WITH THE NEW EUROPEAN DATA PROTECTION REGULATION, BUSINESSES WILL NEED TO OBTAIN CONSENT FROM THOSE WHOSE PERSONAL DATA THEY WANT TO TRACK
3) Impact for Service Providers Serving the EU
Such a significant change in legislation could mean MSPs all throughout the EU will be forced to adhere to tougher data protection laws. How then should you respond to these latest updates? Computer Weekly has released a comprehensive guide outlining key components of the unified data regulation framework, those ISACA suggests IT service providers pay attention to.
Review and update your privacy policies, procedures, and documentation since data protection authorities can ask for these at any time. One way to evaluate your policies is by performing a data protection impact assessment.
2. Governance Group and Data Protection Officers
Assemble an internal policy governance group to monitor all activities. If your organization has more than 250 employees or if you regularly and systematically monitor data subjects, you’ll be required to elect an independent Data Protection Officer (DPO) to oversee and report on data management processes.
3. Explicit Consent
This stipulation requires data subjects to freely agree to the processing of their personal data and data controllers to prove consent. Subjects can opt out of direct marketing data usage.
4. Right to be Forgotten
Under this regulation, data subjects can mandate removal of their personal data and refuse further distribution by the data controller.
5. Outside Parties
Data controllers outside of the EU who process data of those within the EU will need to appoint a representative within the territory.
6. Data Breach Notification
Data controllers will have to report any personal data breach to the data protection authority immediately and within 24 hours upon learning of the breach. If longer than this, they must provide the reason. Data controllers might also need to alert data subjects who’ve been affected in special cases.
Data protection authorities will have the power to fine up to 2% of annual global turnover for violations.
8. One Lead Supervisory Authority
The data protection authority in the EU member state in which a multi-jurisdictional data controller has its main establishment will monitor data processing of the data controller across all states.
9. The Cloud
Cloud providers, referred to as data processors, will also be held responsible if there’s a breach due to their own improper planning, policies, and procedures.
While further implications of this new single digital union will continue to surface, MSPs can take action now to strengthen organizational protocol. Assess all of your internal processes and develop strategies around data classification, retention, collection, removal, storage and search. Track your efforts and frequently report on them and above all, train your employees to comply with the new policies and procedures you enact.