Delayed EU Data Protection proposals still playing catch up three years later

In 2012, new EU rules were announced designed to make businesses more responsible for the management of an individual’s personal data, with stricter requirements for protection and penalties around data breaches, thereby offering individuals greater control. The rules were also designed to commit EU member states to a set of consistent, legally-enforced regulations and rigid definitions, which companies outside the EU would also have to abide by.

However, it is likely to be a further year before the proposals are finally agreed upon, which is a long time in the rapidly evolving digital universe. Not only have consumer attitudes and behaviours changed significantly since 2012, but new tools and technologies have transformed the way data can be used by businesses.

For example, new digital marketing tools have entered the market that can capture, track, profile, target and personalise individuals more effectively than ever before. In such a complex, data-rich landscape though, it will be a tough ask for businesses to seek and obtain ‘explicit consent’ from each consumer as demanded by the proposals. In addition, the rise in e-health applications, personal lifestyle monitoring and cloud computing are further transforming what data can be collected and how it is used.

With data-driven services entering everyday life, consumers have become complacent about data use. European research from Iron Mountain found that 88% of consumers deal with so many organisations, both online and offline, that they don’t know who holds their information. Three quarters (72%) said they were not convinced that the benefits of having their information deleted are worth the bother of getting it removed.

>See also: How to comply with the new EU Data Protection Regulation

However this consensus is not universal. There are areas where data privacy concerns are rising sharply. The widely reported NSA investigations, growing cyber threats and invasive marketing leave many consumers feeling vulnerable and angry about how their personal data is gathered and put at risk.

In short, connected consumers have taken to setting their own standards for acceptable data privacy. Recent studies show that people are prepared to reveal more information to the organisations they trust, which are often businesses that already have effective data security and privacy standards in place. With this in mind, companies may be better off responding to the evidence of such consumer behaviour rather than waiting for the legislation to be finalised before they decide how to prioritise and protect the use of personal data in their business.

This is even more important because, during the course of the last three years, a number of landmark events have meant that, in the absence of the new legislation, other entities have started to make important data protection decisions. These include the May 2014 judgement against Google on the ‘right to be forgotten’, a cornerstone of the proposed regulation.

There is a great deal that is valuable, and much needed, in the new proposals. They will ensure consistency across the 28 European member states and with organisations outside the EU that collect, store or process European data. They will build a strong framework around the use of personal data in research, and need for ‘anonymising’ such data. Furthermore, they aim to ensure that definitions for frequently used terms are universally agreed, understood and implemented.

With the ongoing delay, however, organisations need to ensure they are prepared ahead of time – not just in 2016 when they are finally agreed upon and implemented.


Sourced from Sue Trombley, Iron Mountain

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...