Are you ready for the European Data Protection Reform?

The Right to be Forgotten, its consequences and much more. By David Moseley, EMEA Solutions Manager at Veritas.

  • Wednesday, 14th October 2015 Posted 9 years ago in by Phil Alsop

The European Union is under pressure to act on data protection. Its legislation on the matter dates back to 1995, when the Internet was home to a measly 23,500 websites. The proposed General Data Protection Regulation (GDPR) is therefore causing some confusion amongst even the most informed, given that fast forwarding two decades has meant that today we consume and create so much data that we can often feel out of control.

We have the liberating advantage of having the world at our fingertips (quite literally), but this freedom has come at a price. Aside from a small community of IT visionaries, nobody could have predicted anything like social media, cloud computing and big data. We need to ensure we maximise the benefits from the Internet and new technology but also that we have the safeguards to ensure that this is not at the expense of our privacy. The original Data Protection Directive harks back to a time when data processing was more about filing cabinets in office basements than data storage racks around the globe. It’s time to evolve.

EU institutions and member states have been negotiating this reform since 2012. This summer, the member states approved an initial draft Regulation and anticipate final approvals to happen by the end of 2015 or early 2016. The Regulation itself is planned to come into effect by the end of 2017 or in 2018.

The imminent adoption of the GDPR means that individuals in the EU will soon be able to demand that their personal data be erased. Under the proposed Regulation, any organisation handling personal data of individuals from the European Union will be required to comply with such requests, even companies based outside Europe. The new Regulation will catapult European data protection into the era of big data, but many companies and public authorities could be caught out if unsure of how the GDPR will affect the way they handle their data.

The latest developments suggest that the final GDPR provisions and requirements will include:

The right to be forgotten or deleted: Organisations will have to completely erase personal user data if a user requests it, unless the data falls under compelling record keeping obligations.

The right to be notified of serious data breaches: Serious data breaches will have to be notified to data protection authorities, and users affected must also be individually notified in due time if their privacy is directly at risk.

The right of access and portability: Any individual may enquire as to what data has been collected on them, and demand access to that information. Organisations should make sure that individuals can have their personal data easily transferred to other organisations.

The principle of accountability: Organisations managing personal data must at all times be able to demonstrate that they are good and responsible data custodians. They must implement Privacy by Design and Privacy by Default, they need to understand how their data flows and secure it at all times and all places, they may have to carry out mandatory impact assessments, and they might be required to hire a Data Protection Officer.

The specific requirements around these principles, and notably on the ‘right to be forgotten’ are still under negotiation. Regardless, organisations will need to curb their hunger for data, making sure they only collect so much personal data as they actually need for the particular purposes they have specified to the user.

The implementation of the Regulation could see a massive increase in citizens requesting that their personal data be erased under the right to be forgotten. This provision will pose a challenge to IT and other departments like HR and Legal in both private companies and public authorities. Organisations will need to adapt existing data protection processes and policies to the new legal situation. Companies should ensure they are prepared for an increase in customer enquiries once the new Regulation comes into effect, and they need to be ready to search, locate, isolate and erase all iterations of a user’s data across their entire IT infrastructure if requested to do so. This will take eDiscovery to a whole new paradigm.

One pitfall to avoid is to make the mistake of treating all data as equal. Over-provisioning for information management hinders compliance and clogs up core systems. Prioritisation, based on a risk-based assessment aligned to data type will be critical. The upside is that optimising the way you handle data privacy in response to EU law will actually optimise the way your business responds to customers, partners and employees. The confidence to be able to deal with the GDPR can provide an organisation with:

·     Assurance in its customer service levels

·     Confidence in its information handling processes at scale

·     Agility and innovation in information governance and management

·     Competitive edge inherent to more efficient information governance processes

The more subtle, and potentially even more significant benefits to this confidence are demonstrable brand integrity and competitive advantage especially when GDPR rules start to catch out the unprepared. Understanding the role of information management in data privacy is about to become a key success factor for all organisations with EU customers.