Do not delay, EU data protection changes on the way

Three or four years is plenty of time to get ready for the new data protection framework in Europe, but the clock is ticking

Business may feel three or four years is plenty of time to get ready for the new data protection framework in Europe, but the clock is ticking and it is later than they think. A study from Vanson Bourne for SecureData, of 100 senior IT managers in large UK enterprises, found 59% of respondents said the draft data protection rules would cost their business more, so preparation will be key.

While most commentators agree that much work still needs to be done before the proposals are finalised, they also say businesses cannot wait until then to start preparations. Regardless of the changes that may be made to the draft proposals, businesses can and should be getting ready for the major shake-up that is on the way.

Computer Weekly asked IT and legal professionals what practical steps businesses can take to ensure they will be in the best possible position when the new rules finally go into effect.

First, organisations should get their privacy policies, procedures and documentation in order and keep them up to date, as Data Protection Authorities will be able to ask for these at any time, says Adrian Davis, a principal analyst at the Information Security Forum (ISF). For many organisations, this process may involve a complete re-write of policies because the draft proposals state that they must be written in plain English.

Managing policies

One of the key themes of the proposed regulation is accountability, says Jane Finlayson-Brown partner in the corporate department of law firm Allen & Overy. "In practice, this will entail establishing a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards to all data processing activities," she says. Auditable data impact assessments will also need to be conducted and steps taken to address any risks highlighted. 

In addition to reviewing existing policies and practices, organisations must do what is necessary to make all employees fully aware of the implication of the changes and train them in the application of any new policies, says Phillip Webb, chairman of the BCS Government Relations Group.

The Corporate IT Forum recommends that organisations should ensure they have clear policies signed (and re-signed) by individuals, and supported by appropriate technology to aid maintenance of policy awareness.

"Use policies and user input to help define the rules for tools, and use tools to segregate personal and corporate data on mobile devices," says Ollie Ross, head of research at The Corporate IT Forum. "Although the usability of digital rights management (DRM) is not straightforward, it’s easy to apply simple controls such as preventing data copying and document printing."

Beyond policies and employee-awareness, particularly attention should be paid to data security, says Richard Hollis of the ISACA Government and Regulatory Advocacy subcommittee (GRA).

Organisations should consider a data protection audit, he says, as a good way of identifying potential weaknesses in their systems, so that these can be remedied before a breach occurs.

As a second major area of focus, organisations should form a governance group that oversees all privacy activities, led by a senior manager or executive. If the company has more than 250 employees, appoint a data protection officer (DPO). "The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s Annual report," says Davis.

Role of the data protection officer

The role of the DPO is to ensure the rules are being enforced appropriately, but a survey last year  of 2,000 CIOs globally found only half of CIOs currently sit at operational or board management level, according to Phil Stewart, secretary & director of communications at ISSA UK. "If your CIO has little board input or budget responsibilities, now is the time to make these changes to empower the CIO with budget responsibility and board influence," he says.

Third, organisations should implement a breach notification process and enhance their incident management processes and detection and response capabilities. "Any data breach must be reported to the relevant data protection authority, even if protective measures, such as encryption, are in place or the likelihood of harm is low," says Davis.

UK businesses should design these processes in such a way that they will enable the business to inform authorities and data subjects about data breaches as early as possible, says Webb, as the draft proposals call for notification within 24 hours.

However, UK justice minister Tom McNally has raised concerns that this requirement may delay work to mitigate the effects of the breach. The existing e-privacy directive's requirement of notification "without undue delay" is more realistic, McNally told a Westminster e-Forum in March.

The ISSA's Phil Stewart notes that if appropriate technical measures are in place, such as encryption, then the requirement to notify the data subject may not apply. "Therefore, all organisations should conduct risk assessments to identify personal data and ensure it is adequately protected," he says.

Fourth, organisations should prepare to fulfil the "right to be forgotten", "right to erasure" and the "right to data portability".

"A strategy covering data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, callcentres and paper," says Davis.

This will include implementing a process for obtaining explicit consent from individuals and detailing how this information will be used by them and any third parties, says Webb. It will also include processes and procedures to handle data deletion requests and other queries from data subjects.

The right to be forgotten

The Corporate IT Forum recommends organisations consider the practicality of implementing the "right to be forgotten" now, especially in customer and marketing databases, as retro-fitting could be more expensive than early incorporation.

Organisations should analyse the legal basis on which they use personal data and consider if they rely on data subject consent to process personal data, or whether they can show they have a legitimate interest in processing that data, which is not overridden by the interests of the data subject, says Finlayson-Brown.

Companies that rely on obtaining consent to legitimise processing should review whether existing forms of consent are adequate and check that consents are freely given, specific, informed and explicit, and should note that they will bear the burden of proof. 

Businesses should also look at what data transfers they undertake and how they ensure that the transfer of data to countries that are not recognised as having adequate data protection regulations are nonetheless safeguarded in a way that is compliant with legislation.

This includes considering whether or not to adopt binding corporate rules to facilitate intra-group transfers of data.

As with intra-group international data transfers, Finlayson-Brown says it is also important to ensure that a business has a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.

"This is not a new concern, but as failure to comply with the proposed regulation's requirements in this respect could attract a fine of up to 2% of annual worldwide turnover, the consequences of non-compliance could be severe," she says.

Information asset management

Matt Villion, chief operating officer at the Cloud Security Alliance UK & Ireland, recommends that organisations refresh their information asset register so it clearly identifies what data is held, where, how and why. "This may need a rethink as it may not be so obvious," he says.

Villion also recommends a review of technical and procedural controls around data in the light of the fines provided by the draft proposals for serious breaches of personal data.

Fifth, organisations should create and enforce privacy throughout the systems lifecycle to meet the "privacy by design" requirement, whether software and services are bought or developed in-house. "This will ensure that privacy controls are stronger, simpler to implement, harder to by-pass, and totally embedded in a system’s core functionality," says Davis.

While many in the IT and legal professions believe the proposed EU data protection regulation is likely to undergo fairly extensive negotiation and amendment, they expect  the main concepts to remain.

But because compliance with obligations such as accountability take time to become part of a company's DNA, most of those industry representatives felt organisations should not delay in taking action in the five main areas they outlined.

Any organisation that is still procrastinating or vacillating for any reason should consider if it can really afford €1,000,000 or 2% of its annual worldwide turnover.

Technical considerations

In terms of the technical and operational impact, many IT departments face significant challenges keeping authorisation up to date, warns David Gibson, director of strategy at Varonis Systems. 

This concerns making sure the right users are in the right groups and the right groups map to the right data resources, like folders, sites, and mailboxes. 

“Unless the processes to grant, review, analyse, and revoke access are automated, content is automatically inspected to look for sensitive data, and access is monitored and analysed, the organization will be unable to maintain correct authorisation, and unable to monitor access activity to look for likely threats,” says Gibson.

The SecureData/Vanson Bourne study of IT managers reported that large organisations struggle to manage Active Directory to authenticate and authorise all users and computers.

The EC regulatory proposal provides an ideal opportunity to review data governance procedures and management products. Clearly all data will need to be audited, particularly and unstructured data will need to be monitored and classified. 

Over a quarter of the senior IT managers that participated in the Vanson Bourne/SecureData study expected they would be outsourcing the data protection officer job role (as required under the proposed legislation). Firewall and network managers are the most likely security role to be outsourced.

Make your voice heard

Some businesses may wish to lobby for changes to any aspects of the proposed regulation that are particularly problematic for their operations. As the legislative process is only just beginning, there is scope for amendments to be made, Finlayson-Brown adds.

The Ministry of Justice issued a "call for evidence" to inform the UK's negotiation position on the proposed regulation, and the results should be available online by 4 June 2012. Representatives from the Ministry of Justice are also attending many events run by various interested associations and other groups to hear the views of interested parties.

She says organisations that have not commented on the proposed regulation by this process may wish to consider whether to appoint a lobbying firm (perhaps the most effective way to lobby). Many of these firms are based in Brussels and are deeply familiar with the processes, timelines, committees and individuals involved.

“Alternatively, it is possible to lobby directly. You can track the committees involved and the rapporteur who will oversee and support the progress of the legislation online,” Finlayson-Brown adds.

Read more on IT legislation and regulation