In this guest blog post Andrew Walker, director at sourcing consultancy ISG, looks at the impact of the new EU data regulation on businesses and IT service providers.
New, stricter data regulations could spell IT upheaval
By Andrew Walker
"The use of consumer data is a pertinent issue for both outsourcing providers and clients, gaining attention recently as online giants, such as Google and Facebook, change their privacy policies and various cases of personal data being leaked by (or stolen from) firms hit the headlines. Add to this the growing popularity of social networks and Twitter and there is now an increasing pressure to strengthen data regulations - legislation which undoubtedly has a far reaching impact.
The new EU Data Regulation was first published in January this year, and once approved by the EU Parliament, is set to come into force in two years' time. This not only leaves corporations with little time to get their security systems and structures in order, but also, and perhaps most worryingly, very few companies and service providers seem to be aware of the workload and cost involved in readying themselves for these changes.
Whilst the current regulations that deal with EU citizen's personal data are seen as inadequate and in need of standardisation across EU member countries, the new regulations are broad and if breached carry severe penalties. For instance, the new regulations clarify the importance of consent. Explicit consent from EU citizens for organisations to use their data will be mandatory, rather than the implied consent used, for example, in the UK today.
An underlying principal of the new regulations is continual assessment with an ongoing obligation for monitoring and auditing data - for example, in the case of projects, before a project involving data is initiated there must be a privacy assessment identifying for how long personal data will be processed and stored.
In terms of enforcement, one of the most important features of these regulations is that they will apply to personal data for all EU citizens no matter where it resides. This means this is now a global issue and affects IT service providers that store or process this data all over the world.
As for punishment, if these regulations are breached businesses can face fines on a scale of up to 2% of annual global turnover. What's more, it is likely that enforcement will be strict, as the architects of the rules intend to make the regulators self-funding.
As a consequence of these regulations coming into force, organisations will need to implement new and additional processes and changes to systems, such as audits, privacy assessments, new policies, updates to client consents, new procedures and additional monitoring. Of course, these all carry a substantial initial cost, as well as strengthened and consolidated data protection organisations staffed with skilled, experienced people.
Furthermore, organisations of over 250 employees will also need to establish mandatory Data Protection Officers, which carry additional overheads for these larger firms.
So, in the face of the approaching, new and stringent data regulations, what needs to be done next?
First and foremost, firms must review their current products and services to determine the impact of the new draft regulation. For businesses that rely on IT outsourcing, or where significant elements of the IT services are outsourced, this is especially important.
Firms will then need to assess the overall impact of the regulations on their operations and the degree to which they need to be adjusted. Pre-emptively, those in charge of personal data should determine whether there are measures that can be taken before the regulations come into play to reduce the financial and operational impact of the regulations.
Finally, and perhaps most crucially, businesses must assign responsibility, either to someone in the organisation or to an external adviser, to monitor progress of the regulations and establish a decision process regarding plans and changes to products, services and outsourcing arrangements. This will help to avoid costly rework and minimise the cost and impact of implementation.
Realising the sweeping effects of this new legislation, and taking steps to get systems in order, is now imperative for businesses. For those who fail to grasp the seriousness of this new regulation, imagining a fine equal to 2% of their annual global turnover landing on their desk should be enough to make them reconsider."