The enterprise guide to preparing for the EU’s new data-protection legislation

When Google was famously ordered by the European Court of Justice to remove outdated information about a Spanish man’s repossessed home from future searches, it was clear the wind of data change was starting to blow. But how prepared are UK businesses for what lies ahead?

European Commission Vice President Viviane Reding described the verdict as ‘a clear victory for the protection of personal data of Europeans’, adding: “The ruling confirms the need to bring today’s data protection rules from the digital Stone Age into today’s modern computing world.”

Certainly the repercussions are already being felt at Google, which has since received 41,000 similar requests from users. But far bigger changes lie ahead.

>See also: Big data vs. big regulation: Will changing the rules empower consumers?

Ministers are currently fine-tuning a new EU General Data Protection Regulation, which is likely to be approved in 2015 and in place by 2017. It will have major implications for all sectors on the way data is collected, stored and accessed.

The legislation, replacing the current Data Protection Act in the UK which has been in place since 1998, aims to provide a Europe-wide regulation for data controllers and processors. It will provide a one-stop shop to deal with a single Data Protection Authority in each country and new European Data Seals to aid compliancy.

It will also provide citizens with a ‘right to be forgotten’ if they want old or inaccurate data deleted, a right to know what information is stored about them and whether its correct – as well as a right for transparency in the way data is collected.

There will be significant fines – in the current draft the suggested figure is 5% of global turnover or €100 million if greater – for companies that negligently breach regulations.

So the big question for every CIO, IT manager and CEO across all sectors is: are you ready to leave the digital Stone Age behind?

Whether we are talking about the financial services, healthcare, the legal sector, manufacturing or the public sector, this legislation is coming, in one form or another.  It will have major implications not only for the way data is handled, processed and stored but also on how to deal with requests from individual citizens to search, delete or forward data – not to mention a significant impact on operational budgets.

Research shows British businesses are simply not ready. A recent Trend Micro survey, for instance, revealed 50% of British IT decision makers are completely unaware of the forthcoming legislation, let alone prepared for the financial impact it may have on operational budgets.

Perhaps CEOs and CIOs are hoping the proposals will be significantly watered down once Ministers across Europe have their say and a playing a waiting game; but this is a dangerous approach. Even if the final details of the legislation are uncertain, the direction of travel is not. European citizens want greater control over their data – and they are going to get it.

>See also: Half of UK businesses unaware of new EU data laws

Below are five key areas in which companies can prepare for all eventualities in an ever-changing data environment by adopting basic principles of data collection, storage and destruction.

These are steps which will not only place companies and organisations in good stead when the new EU Data Protection Regulation finally becomes enshrined in law but will also have a positive impact on operational health. 

1. Spring-clean your data: understand its value

Start with an audit to distinguish how much data currently stored actually needs to be kept. Is it ‘records’ or in fact junk or data noise? Destroying unnecessary information can help create a clearer picture for the future. For data that needs to be kept, make sure you know where it is stored, who uses it, how to access it and how to protect it. The key to good data practice is in understanding its value in the first place; so treat data like an asset. You wouldn’t leave an asset in the street for other people to pick up – and it is no different in a digital environment.

2. Know who is responsible: assign ownership

With fines for non-compliance set at up to 5 per cent of global annual turnover it is vitally important that someone in the business takes ownership and responsibility for staying up to date with new regulations. Make it clear which role in your business has responsibility for each type of data – whether it is the IT Manager, CIO, Records Manager or an outsourced company.

3. Develop processes now to deal with data breaches: be prepared

It will soon become compulsory for all companies in the EU to have a system in place for dealing with data breaches, including processes for notifying anyone affected by a breach. So why wait? Clear and well-practised procedures should be put in place now – not least to identify who is responsible for reporting.

4. Understand whose data it is: seek consent and open communication channels

In future companies will require explicit consent from people to gather their personal data; so get those processes in place early. Any company that stores personal data should consider what the legitimate grounds for its retention are and how it will communicate this to customers as we move inevitably from implicit consent to explicit consent. 

5. Design-in privacy: change your culture

Start to create a company culture where privacy is considered in every process and at every level of the business. Designing-in privacy – and making staff aware of its importance – is the key to good data practice as data protection evolves.

The bottom line is the age of data is changing fast, for better or for worse and whether we like it or not. So regardless of what ministers in Europe decide over the coming months – and however the final EU Data Protection Regulation takes shape – the digital Stone Age is on the way out.

For those who view it as an operational nightmare, the challenges are multiple. But for those who grasp the nettle and see it as an opportunity to truly value data as an information asset, the positives are equally clear. It could yet prove to be a brave new data world.


Sourced from John Culkin, director of information management, Crown Records Management

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics