How to comply with the new EU Data Protection Regulation

For the first time in many years, the European Commission is reevaluating the European Union's data protection regulations.

While technology has moved on, the current regulations have remained stagnant and woefully inadequate to protect an individual's or an organisation's data.

Aside from updating the regulation to align with the technology changes in the market, the EC is also aiming to create a single, pan-European law for data protection, replacing the current patchwork of national laws across the EU.

It also aims to create a one-stop-shop approach, allowing organisations to deal with one single supervisory authority (at a local level, generally where the organisations' European main base is located), not 28.

>See also: EU Regulation: time to act on corporate data protection

IDC believes a single Europe-wide data protection regulation is a step in the right direction. It is also good for organisations doing business in Europe, as it cuts down on the overhead of complying with multiple local data protection acts.

However, the new EU Data Protection Regulation forces organisations to apply a different perspective toward compliance and risk management.

The EU Data Protection Regulation places a greater weight in organisations needing to demonstrate the deletion of data linked to an individual (the data subject) under the right to erasure clauses.

Therefore, organisations will need to ensure it fully understands the flow of its data throughout the data life cycle.

Business leaders within an organisation have to take more responsibility toward risk ownership. Increasingly, stakeholders within an organisation (and external stakeholders such as shareholders) are asking questions not only from technology leaders but also from business leaders when there is a failure of security controls.

The regulation introduces larger fines for noncompliance — up to 2% of global turnover or €100,000,000 – and will require organisations to build and implement new processes to satisfy the breach notification clauses that are currently in place.

Organisations need to notify the supervising authority once it has become aware of a breach. Crucially, however, they will also need to communicate the breach to the data subjects.

Privacy by design and privacy impact assessments will become mandatory. Therefore, organisations need to ensure that risk analysis is embedded into business processes.

Developing a data-protection framework with appropriate governance assures that data protection is tied into business processes and that business executives are forced to continually assess the risk of noncompliance.

Future outlook

The current timetable for the EU Data Protection Regulation is for it to be finalised in 2014, with organisations expected to be compliant two years later. However, IDC does not believe that will happen.

In an increasingly connected economy, the regulation is necessary to make sure that the rights of data subjects are not abused nor protected with the appropriate security controls.

>See also: The enterprise guide to preparing for the EU’s new data-protection legislation

The large fines that will be introduced will ensure organisations will have a real impact to their bottom line as a result of noncompliance. However, the exhaustive process that the regulation needs to go through within the EU does mean that constant delays are to be expected before the final version is published.

While the regulation brings in stricter legislation (e.g. increased fines and breach notification), there are questions on the availability of resources from data protection authorities.

Enforcing the new regulation will require a high number of training resources to ensure compliance to the regulation.

As a result of the potential lack of resource, IDC believes data protection authorities will be selective on the enforcement of the regulation. For example, larger multinational organisations will be initially targeted because of the potential for levying larger fines for breaches.

Despite all the rhetoric in Europe — primarily as a result of the NSA leaks, of having a separate European Internet or forcing international organisations to keep European citizen data within Europe — the reality is that the dominant technology firms are mostly US based.

As a result, US organisations will continue to process European citizen data and host that data in datacenters located in the US.

Indeed, global organisations such as Microsoft and Amazon are taking steps toward setting up European data centres. However, this is not as a result of a particular European regulation.

It should be noted that the EC is working closely with the US to allow for some guarantees to be in place to ensure appropriate enforcement of European regulation on European citizen data hosted in the US.

Compliance

To prepare for compliance to the regulation, an organisation's goal must be to proactively identify risks and provide a level of assurance that controls are in place to provide compliance toward the regulation.

To be able to proactively identify risks, organisations must be able to build out a holistic view of the data processed within the organisation and the subsequent controls that are applicable to mitigate risk throughout the data life cycle.

Once the organisation has built a picture of the type of personal data it processes and the respective data flows throughout the data life cycle, it will then be able to more accurately identify the controls it has in place at key points throughout the data life cycle.

Data-protection governance and strategy ensures alignment to the business and also has ownership of policies and processes, risk assessments, and others. It also drives compliance and control requirements.

>See also: Big data vs. big regulation: Will changing the rules empower consumers?

The data-protection controls link to respective steps within the data life cycle. To ensure effectiveness of the controls implemented, regular testing of the controls will need to be conducted.

Internal audit must also be engaged to make sure that the controls testing are appropriate and relevant, and that the processes and policies implemented are appropriate for continued compliance to the regulation.

Although the EU Data Protection Regulation is yet to be passed, it is highly recommended for organisations to get the building blocks in place in preparation for the regulation.

Knowing your data (i.e., understanding the data flows of your data), identifying the risk owners, developing and implementing new processes, and maturing the data protection framework will make compliance toward the regulation a less daunting and, in the long run, a financially more efficient method toward compliance.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data