EU data protection regulation will drive privacy by design, says KuppingerCole

The EU data protection regulation will drive privacy by design in companies with European clients, says KuppingerCole analyst Karsten Kinast

The coming EU Data Protection Regulation will make privacy by design important for all companies who have European customers, according to Karsten Kinast, analyst at KuppingerCole.

“The major news about the new regulation is economic news that has geographical implications wider than the European region, to include US companies like Facebook,” he told Computer Weekly.

Kinast believes that a single European law will strengthen data protection and make it far easier to impose sanctions on companies that fail to comply.

“Data protection will become a standard part of compliance as sanctions also increase from a maximum of €100,000 to €1bn or possibly 2% of annual worldwide turnover,” he said.

This, coupled with the fact that the law will be the first to apply to all companies that do business in Europe, will help drive increased privacy by design.

“Privacy by design will play an increased role for any company that produces software as the new law will make them liable for any data protection breach related to using the software,” said Karten.

“The drive for privacy by design will also come from end user organisations because they will also be liable for breaches related to using the software.”

Read more about data protection in Europe

Data erasure will drive privacy measures

To comply with the regulation, software producers will have to ensure personal data is never exposed to unauthorised users and can always be deleted.

“Take SAP, for example, currently data cannot be properly erased in a legal sense once it is stored in the system, which does not meet the requirements of privacy by design,” said Karsten.

“Privacy by design means making software operate according to the law, which in the case of the new data protection regulation means making it easy for access rights to be exercised and for personal data to be erased after a certain period.” 

Kinast said the new law requires good identity and access management, however, this is currently largely lacking throughout Europe and beyond.

Business continuity and access management

“I see a connection with business continuity because often, when parts of a company are sold off, there is not good business continuity because there is no identity and access management,” he said.

Kinast believes that privacy by design will have a positive impact on business continuity.

Although the regulation tends to be seen in a negative light because businesses foresee they will have to put more effort into designing their software and services, he said that after a while, companies will realise that this approach will lead to better business continuity.

“Privacy by design will help companies realise that they need more identity and access management as well as an appropriate security strategy,” said Kinast.

Many organisations do not have proper access controls, he said, to ensure that employees can access only the software, systems and data that they need to do their jobs.

“Businesses typically cannot deal with the complexity of the software, feel they do not have the time to manage access rights, or believe it is a good idea to have as much access as possible,” said Kinast.

“In practice, most people are overwhelmed by the information they can access, and so privacy by design will help to focus only on what they really need.” 

Kinast is to take part in a panel discussion on the role of privacy by design in the EU Data Protection Regulation at the European Identity & Cloud Conference 2015 in Munich from 5 – 8 May 2015.

Read more on Privacy and data protection

Data Center
Data Management