The proposed changes to the EU data protection laws are intended to simplify what has become a quagmire of differing standards derived from existing legislation. The existing law is often implemented differently across states, which makes moving data in the EU challenging.
Personal information is now stated as any information that relates to an individual about their private, professional or public life. This can be name, e-mail address, photo, address, posts on social networks, bank details, medical records, and even the IP number of their computer.
The EU's charter of fundamental rights says that everyone has the right to personal data protection in all aspects of their life. The implications of this broad statement cannot be underestimated.
It introduces a "right to be forgotten" that is designed to help people manage their personal data if there is "no legitimate reason" to keep it.
Further, where consent is required to process data, it must be given rather than assumed.
Preparing for EU data protection rules
The top five things businesses need to do to get ready:
1. If you have over 250 employees, you need a data protection officer to act as the focal point for all data protection activities;
Security Think Tank: How to prepare for EU data protection rules
2. Refresh your information asset register so it clearly identifies what data is held, where, how and why – this may need a rethink as it may not be so obvious;
3. Your privacy policies will likely need to be re-written – the new guidance states they must be written in plain English;
4. You will need processes and procedures to handle data subject and data deletion requests;
5. As a serious breach could cost you a minimum of €250,000 up to €1,000,000 or 2% of global turnover, you will want to review your technical and procedural controls around your data.
From a cloud computing point of view, these changes are long overdue and will lubricate the roll-out of utility-based computing in the EU. The key lies in privacy policies that inform users how their data will be stored and processed and gains their consent.
Matt Villion is chief operating officer at the Cloud Security Alliance UK & Ireland