The new EU General Data Protection Regulation, to provide greater harmonization of data protection rules across Europe, will be published on 26 January. So what?Well, rather than being something radically different or new for organisations and data controllers to get to grips with, the new Regulation trumpets compliance with two of our existing data protection principles; Personal data shall not be kept for longer than is necessary, and Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA).
For example, the much-heralded ‘le droit à l’oubli’ clause (‘the right to be forgotten’ apparently, although my school boy French was limited to ordering half a kilo of sausages with predictably hilarious results) will require person’s internet histories to be deleted after use (e.g. cookies) has incited some rather inflammatory statements in some areas. Data protection compliance has been likened to some onerous kill-joy like Blakey from the bawdy 1970s television programme ‘On The Buses’ (http://www.scmagazineuk.com/new-data-protection-laws-will-see-blakey-in-every-business/article/218287/?DCMP=EMC-SCUK_Newswire). However, in the end this is just applying the well-worn requirement to retain information for only as long as you require and then permanently delete it.
Likewise, the ‘new’ Regulation also addresses extra-territorial actions by third countries such as the USA Patriot Act and the USA Foreign Intelligence Surveillance Act and imposes barriers for foreign judicial authorities to access European data. This issue became international news recently when a US court requested European Twitter account details (http://www.bbc.co.uk/news/world-us-canada-12459989). However when all is said and done the Regulation is only reinforcing what we should all be doing anyway; i.e. not transmitting personal data outside the EEA unless there is a good and lawful reason (for the UK these are set out in Schedule 4 of the Data Protection Act – http://www.legislation.gov.uk/ukpga/1998/29/schedule/4).
The Regulation is also published against the growing issue of Cloud-based computing platforms, where service providers experience host client data globally is and it is not always clear that all of the information is permanently deleted when the client goes elsewhere.
So how do organisations ensure compliance with data protection against a backdrop of technological change, increased costs and a more competitive market place?
Well, I am sorry if it is a disappointment to you, but you do not all need to go out and get a ‘Blakey’ (anyway, there are not enough of us to go around!)
- Firstly, identify accountable business ‘experts’ to be responsible for your business data, including compliance with statutory requirements like data protection (they could also be ‘on point’ for information security and business continuity in their areas, but I digress);
- Secondly, talk to and coordinate these business representatives to find out where your organisation’s personal data is (a small governance team would be ideal). It is amazing where it ends up (e.g. cookies) and you can’t look after it until you know where it is;
- Next, identify the legal, regulatory, contractual, best practice and business requirements for your business information; and
- Finally conduct regular assessments of your compliance against these requirements so you can monitor progress (or otherwise).
Advent IM Consultant – Mark Goddard