Posted 3 July, 2015 • by Mary McCoy
image source: http://europeansanctions.com/page/2/
If you live in the UK or anywhere else in the European Union for that matter, you've likely been following the new EU data regulations reform movement which is expected to establish a consolidated data protection policy framework for all 28 member states.
In case you're unfamiliar with the legal proceedings or if you're looking for more details, we've provided background information on the current data regulation legislative standard and outlined what the unified proposal entails. It can be easy to miss the big picture when combing through paragraphs of legal jargon, but hopefully this summary will help pinpoint the key implications and explain how you can proactively respond!
As of right now, Europe is subject to the EU Data Protection Directive (Directive 95/46/EC), established by the European Union to safeguard the privacy and integrity of all personal data processed, used, or exchanged between EU citizens. In accordance with Article 8 of the European Convention on Human Rights (ECHR), the Directive is intended to protect "the rights of privacy in personal and family life, as well as in the home and in personal correspondence."
The EU Directive includes the following seven principles:
Under this standard, each EU member state manages data protection regulations and their enforcement within its jurisdiction. Data controllers are the ones who obtain the personal data from citizens in their country, data subjects, and are held to the seven principles as listed above. Additionally, each member state must form a supervisory authority in charge of monitoring data protection and launching legal proceedings when data regulations are violated. Adding to its decentralized nature, the Directive must be implemented by each member state and written into their own data protection legislation.
Up until recently this fragmented approach sufficed...
According to CompTIA's 10th Annual Information Security Trends study, 55% of respondents claimed the increased interconnectivity of devices, systems, and users were among top factors impacting security practices. Now with this rise in interconnectedness and the proliferation of social networks and cloud computing, European data regulations are being revisited and have been in a continuous process of reevaluation by the European Commission since January of 2012. Recently, however, there's been a breakthrough! After universal agreement among the justice ministers of each state, what was once the EU Data Protection Directive will eventually become the General Data Protection Regulation (GDPR). The EU's European Council projects its adoption in either this year or the next, with a two year period before going into effect. Once this happens, because it will be a Regulation and not a Directive, all 28 countries of the European Union will be immediately subject to the legislation.
So what does this mean? With one data protection framework, one "single digital union," binding all of the member states of the EU, privacy regulations and European citizens' data will be managed throughout the entire territory, rather than in the individual countries.
In response to this agreement, Director General of the European Consumer Organisation Monique Goyens gave the following comment:
"EU laws are now lagging behind the pace of technologies and business practices. Our personal data is collected, then used and transferred in ways which most consumers are oblivious to. An appropriate update must put control of personal data back in the hands of European consumers. This new regulation is the opportunity to close gaps, ensure robust standards and stipulate that EU laws apply to all businesses operating here.”
As of right now, the GDPR is still in draft-mode and will likely be for the next few months as the European Parliament, Council, and Commission negotiate a finished version. As stated originally, the law won't become enforceable for another two years. That doesn't mean service providers should remain idle though. Successfully implementing the new compliance and data protection standards will take time. Efforts should be made to begin planning today! See below for suggested areas for review.
Since this post originally published, there are a few new changes you should account for with this uniform regulation. Under the new standard, for instance, Computer Weekly reports that "all data that identifies an individual, whether directly or indirectly, will now be personal data." This increase in the amount of data that will need regulating (though perhaps not with the same degree of scrutiny) includes pseudonyms and IP addresses. Because of this, many more businesses will be affected, especially those that rely on customer profiling to build marketing and selling strategies around personal or behavioral data. With the new European Data Protection Regulation, these businesses will need to obtain consent from those whose personal data they want to track. How readily do you think these SMBs will provide this?
Customer data rights isn't the only consideration that still needs to be fleshed out. After a brief summer hiatus, the parties reconvened last Tuesday, September 1st, to continue discussing the implications of the GDPR. Not everyone is on board with a single digital standard, however. On the same day, the Russian Data Localization Law went into effect. As a result, all personal data gathered from those in Russia must now be stored within the country's borders, establishing a precedent of data sovereignty in the midst of a more unified data regulation movement.
Such a significant change in legislation could mean MSPs all throughout the EU will be forced to adhere to tougher data protection laws. How then should you respond to these latest updates? Computer Weekly has released a comprehensive guide outlining key components of the unified data regulation framework, those ISACA suggests IT service providers pay attention to.
Review and update your privacy policies, procedures, and documentation since data protection authorities can ask for these at any time. One way to evaluate your policies is by performing a data protection impact assessment.
Assemble an internal policy governance group to monitor all activities. If your organization has more than 250 employees or if you regularly and systematically monitor data subjects, you'll be required to elect an independent Data Protection Officer (DPO) to oversee and report on data management processes.
This stipulation requires data subjects to freely agree to the processing of their personal data and data controllers to prove consent. Subjects can opt out of direct marketing data usage.
Under this regulation, data subjects can mandate removal of their personal data and refuse further distribution by the data controller.
Data controllers outside of the EU who process data of those within the EU will need to appoint a representative within the territory.
Data controllers will have to report any personal data breach to the data protection authority immediately and within 24 hours upon learning of the breach. If longer than this, they must provide the reason. Data controllers might also need to alert data subjects who've been affected in special cases.
Data protection authorities will have the power to fine up to 2% of annual global turnover for violations.
The data protection authority in the EU member state in which a multi-jurisdictional data controller has its main establishment will monitor data processing of the data controller across all states.
Cloud providers, referred to as data processors, will also be held responsible if there's a breach due to their own improper planning, policies, and procedures.
While further implications of this new single digital union will continue to surface, MSPs can take action now to strengthen organizational protocol. Assess all of your internal processes and develop strategies around data classification, retention, collection, removal, storage and search. Track your efforts and frequently report on them and above all, train your employees to comply with the new policies and procedures you enact.
Meet Mary! Mary McCoy is a Demand Generation Programs Manager at Continuum, where she's worked for over two years. Mary primarily manages the MSP Blog and has consulted with hundreds of partners, lending website, blog and social media support. Before that, she graduated from the University of Virginia (Wahoowa!) with a BA in Economics and served as digital marketing intern for Citi Performing Arts Center (Citi Center), spearheading the nonprofit’s #GivingTuesday social media campaign. Like her school’s founder, Thomas Jefferson, Mary believes learning never ends. She considers herself a passionate, lifelong student of content creation and inbound marketing.