In January 2012, the European Commission announced two important pieces of legislation affecting the personal data of EU citizens: the EU data protection directive and the EU data protection regulation. Of the two, the data protection regulation will have the greater effect on most businesses that collect, hold or share data within the EU. This article will focus on the steps businesses can take to prepare for the new regulation when it comes into force.
The impending data protection regulation
With the EU data protection regulation, the European Commission has proposed a comprehensive reform of the current data protection rules. The reform will do away with the current set of fragmented rules, and create a single data privacy law that stretches across Europe. It will also enable businesses to deal with a supervisory authority in just one country, rather than having to coordinate compliance efforts across individual European countries in which it does business.
The overall theme of the proposed data protection regulation conveys that all personal data should be treated fairly and transparently. The proposal states, “The specific purposes for which the data is processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data is processed; this requires in particular ensuring that the data collected is not excessive and that the period for which the data is stored is limited to a strict minimum.”
In addition, the new regulation will give consumers easier access to their own data, and the right to have their data deleted or “forgotten” from any systems.
Directive vs. Regulation
When an EU directive is agreed upon, all member states must pass their own legislation to enact the content put forward. Companies in a member state that do not undertake this step are not mandated to comply with the directive.
An EU regulation applies across all member states without any member having to take further action. The proposed data protection regulation is intended to be a comprehensive reform of the current Data Protection Act (DPA).
Under the new regulation, businesses that suffer a serious data breach will be required to notify their supervisory authority within 24 hours, if possible. Businesses that are breached may also have to pay fines of up to 2% of their total revenues.
If the proposed data protection regulation is passed, it will become a mandatory compliance regulation throughout all of the EU. It is not yet clear when the proposed data protection regulation will become law, or if there will be changes to the regulation before it becomes law, but it is likely to come into force sometime between 2013 and 2015.
With a total of 91 articles, the proposed data protection regulation is quite extensive. James McCloskey, senior research analyst for Ontario-based Info-Tech Research Group, believes the rules planned by the European Commission could eventually be adopted in other geographies.
“The EU has driven leadership in terms of regulatory advances in legislations in other jurisdictions,” McCloseky said. “It ramps up the expectations of what it means in terms of protecting data.”
To prepare for the time when the proposed data protection regulation becomes law, businesses should first ensure they are practicing good information governance. If effective information governance practices are implemented, complying with data protection legislation becomes less complex and costly.
Good information governance can only exist when a business knows what data it collects, who and where the data comes from, where it’s stored, how it’s stored, how it’s used and what it’s used for. It is also important to know all movements of data, any duplicates of data, and the quality and the integrity of the data at any one time.
Having this information will enable businesses to quickly respond to questions they may be required to answer in order to be considered compliant with the data protection regulation, such as:
- Have you implemented a data classification scheme?
- Does all company data have a known data owner?
- Can you identify all the employees that access all the sensitive or personal data you hold?
Quick wins for SMBs
There are a number of steps a small or medium-sized business can do (or should be doing) that can provide a "quick win" for compliance when the regulation comes into effect.
First, determine whether the business already complies with existing data protection regulations. If not, plan how and when it can become compliant, and document this plan.
Review relevant documents, such as policies, procedures, standards and guidelines, and make a note about which ones will likely need to be amended.
Scope of the regulation
Multinational companies must determine whether they must comply with the data protection regulation.
The proposed regulation states: “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not…The processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.”
Determine the information that must be provided to end users once the new data protection regulation is in place. For example, it may be necessary to create or update a document on users’ rights as provided by the regulation, telling them how these rights can be exercised, the process to exercise these rights, and who in the company they can contact for further information.
Brief the executive board or senior management on the impending data protection regulation. They must make a commitment to support the changes that may be necessary for compliance.
If the company operates across several EU member states, decide upon and document which country will be the “home” country in all matters involving the data protection regulation. The company may need to communicate with a supervisory authority in the future, and the proper supervisory authority is determined by a company’s home country.
Create or review the plan to communicate a data breach incident within 24 hours to the data protection authority of the company's home country, as well as individuals affected by the breach. Be sure to document the process that will be followed after the breach, showing what information will be communicated, how it will be communicated to affected parties, and who in the company will do the communicating.
Long-term compliance projects
Once these initial actions have been completed, consider undertaking one or more long-term projects to embark on the path toward full compliance, which will be necessary when the data protection regulation is implemented. These projects may include:
Obtaining user consent -- Ensure consent is obtained from all users for all processing that is undertaken on the user data the company collects.
Managing third-party relationships -- Under the new data protection regulation, it will be especially important to control the data flow between a company and the third parties with which it works, such as suppliers, according to InfoTech Research Group’s McCloskey. “If there is a violation, that liability is going to accrue directly to your company regardless of what third party you involved,” McCloskey said. “You may have some opportunity to sue them later, but ultimately, it’s your brand and your responsibility.”
Anonymising data -- Remove identifying data in all cases (such as birth dates) where such data is not relevant or necessary. This may include masking or scrambling the data.
Implementing data protection by design and default -- This means not only retro-fitting citizen rights into existing applications, but also considering those right when designing any new processes or systems that will use citizens’ data.
Controlling data on mobile devices -- Businesses today face a lot of pressure internally to support mobile devices, from executives and everyday end users alike. According to McCloskey, it’s nearly impossible for a company to manage data sent or received by these devices. McCloskey recommends putting full security controls on devices, or setting up virtual desktop environments to make the data available to users while minimizing the footprint. “If you don’t deal with the proliferation and accessibility of data from these endpoints, then dealing with data protection is going to be futile,” McCloskey said.
Moving to a single identifier for each individual -- By having a single identifier, all records relating to an individual can be cross-referenced, regardless of the number of systems or applications involved. This will help when there is a need to respond to users’ requests to have their data deleted or forgotten.
Encrypting data based on a separate key for each user -- Consider either providing the encryption key, or permitting users to use their own keys. Encryption systems and key management systems are becoming more powerful and easier to set up and use, although they still need to be built into the system architecture. Also keep in mind these systems may require extra processing power and may slow down existing applications. However, the benefits of providing users with their own encryption keys can be significant. When a user wants to exercise his or her right to data deletion, or the right to be forgotten, the user can do so simply by withdrawing the use of the key. For many people who take their privacy seriously, this is the preferred direction to follow.
The outcome of compliance
Like many tasks in IT security, if the right principles are used at the outset, it is easier to do more with existing resources at a lower cost, rather than trying to retro-fit good practice later. Data is important, and personal data is even more important; it can make or break a business in today’s Internet-connected world.
In many cases, personal data is the one asset group that is leading to high valuations of businesses. This is because the analysis of that existing data can lead to further up-selling, more targeted promotions, and other campaigns that will increase revenues. Therefore, wise businesses will create environments that enable them to control user data in ways that provide users with confidence to offer more personal data to the business.
The data protection regulation sets out citizens’ rights with the aim of encouraging businesses to provide that environment. And while there are fines associated with non-compliance, the most important motivation to become compliant should be to achieve sound information governance practices, which ultimately lead to cost reduction and profit generation.
About the author:
Sarb Sembhi, CISSP-ISSAP, GCIH, GAWN, is the director of consulting services at Incoming Thought. His is a past President of the London Chapter of ISACA, and the founder of its Security Advisory Group, and current Chair of the Europe and Africa Region Government & Regulatory Authority Sub-Committee.