For Mike Davis, author and spokesperson for independent global information professionals’ organisation, AIIM, recent European data protection regulation changes need to be tracked by anyone interested in storing and managing cloud content.
Last time we spoke here, (‘Are you set up to cope with the new EU Data Protection System?) I started to talk about the background to the EU’s new General Data Protection Regulation (or GDPR), which is all about bringing all 28 member countries under a single regime of rules, with similar penalties for breaches right across the Union.
Also as I said before, our organisation AIIM, working in collaboration with respected legal experts Bird and Bird, has produced a report called ‘Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud’ on what all this means for anyone interested in storage, content, the cloud, privacy – which may well be all of us these days – but should be particularly relevant to the DM world, I’d say.
But as I promised, I wanted to spend a bit of time now working through the main points and conclusions of the data. So let’s start with an overview of the background to EU data protection as it currently stands and what is going to change – in many ways, in very profound ways, that anyone interested in online privacy might well find it worth taking note of. Which, let’s be honest, is all of us here in the Information Age, surely?
There’s no need for a huge history lesson here – you can research if you like the way that both the EU and bodies like the OECD have been shaping government and legal responses to privacy since 1980 or so. All you really need to know is that a set of key principles came out of that process that resulted in the first EU Data Protection Directive of the mid-1980s that was implemented in the then EU states.
The problem was that this was done inconsistently and the US, while supportive of the principles, didn’t codify anything into law.
To try and rationalise all of this, the EU came up with another Directive in the early 1990s, the basis, ultimately, for all the various laws (think of the Data Protection Act) that cover privacy in the EU at the current time.
Now the main point to be clear on is that word ‘Directive.’ Not to get into too much Brussels jargon here, but a Directive is not legally binding for member states, so it can be interpreted differently, as has been the case with the individual data statutes in a number of EU countries.
You can see this in the way that Germany and Austria, for example, do not normally permit personal data of their citizens to be stored outside the physical boundaries of those countries and so on: there are lots of quirks that businesses (and public sector bodies) need to be sensitive to when it comes to storing and moving data inside (and outside) of Europe.
Now the lawmakers want to tidy all this up – and so are hardening up the Directive into a Regulation (hence the ‘R’ in GDPR). If Brussels makes something into a Regulation, then all member states have to make the same laws aligned with it and there can be no national or local exceptions. (You may find the Council of Europe’s Handbook on European Data Protection Law handy if you want more on this.)
OK – so that’s enough background. You know now that there have been historically varied laws for data and data privacy in different parts of Europe, but this is all being rationalised and changed now into one common, pan-European common legal system.
Now let’s cut to the heart of the matter and understand the what – what is changing, what will this new law look like?
Important new concepts in data responsibility
As far as GDPR is concerned (for which, read ‘European law’), personal data should only be used in line with the wishes of the data ‘subject’ (the person) and protected from loss, deletion, or other uses without the permission of the data subject. (Current examples of breaches of data protection legislation range from identity theft to the loss of backup tapes and so on.)
And the responsibility for compliance with data protection legislation rests with the ‘Data Controller,’ which for GDPR is the person, public authority, agency or any other body which is deciding the purpose for, and the means of processing, any and all personal data collected.
So, clearly, that Data Controller role is key. Under the new/evolved EU data regime, the Data Controller is the organisation itself, but the physical process of control and monitoring will be undertaken by a designated person, who may be titled the data controller or the data protection officer.
She/he has to be identified as clearly responsible on an operational basis for ensuring that the data collected by the organisation on its data subjects is managed, not only according to national law and regulation, but also to any organisation-specific policies.
It’s also worth noting that the Data Controller is going to be seen as the entity responsible for placing data in the cloud, with a Data Processor (provider). While ultimately it will be the CEO, or equivalent, who will be held responsible for any breach, it is this special designated person, through establishing procedures, processes, monitoring and reporting regimes, who is expected to keep the organisation compliant.
Which brings us to the Data Processor. What do they do? Well, that term is meant to encompass the designated person/company responsible for the physical “capture, storage and processing of the data subject’s information.”
This may be within the organisation for on-premise solutions – but in the outsourced or cloud environment it can be one, or even a number of, organisations.
However, with regard to both the current directive and the future regulation, the prime responsibility for protection of personal data will always lie with the Data Controller.
So now I have laid out the history of the EU and data, at a very top level; I have told you how the regulation, the European General Data Privacy Regulation, or GDPR, that is coming in, is designed to create one unified data law right across the EU. I have also told you a bit about the idea of a Data Controller and a Data Processor.
Two last bits of information for today, I think, then we are done for now.
One is that the GDPR will establish a European Data Protection Board (EDPB) to oversee the administration of the Regulation right across the EU. That is important, but possibly of more immediate interest to the DMCollaborators’ audience is this key fact: unlike the existing Directive, the new Regulation covers both cloud computing and social media and provides common EU levels of fines for breaches.
For a ‘negligent breach’ of privacy or a loss of data, it is proposed that a company can be fined up to 5% of its annual revenues – up to a maximum of €100 million.
That’s quite a bombshell – and could be quite a shock to boards that have neglected their data protection issues, potentially.
Let’s stop there for now. When we next speak, I’m going to focus in on the specifics of GDPR’s impact for organisations. Thanks for your attention and speak soon!
The author is an independent IT analyst with a 30 year plus career, specialising in information management, governance and processes. Prior to working as an analyst – first for The Butler Group, then latterly for Ovum – Mike was an IT Director in the NHS.