The Data Devil Is In The GDPR Detail

For Mike Davis, author and spokesperson for independent global information professionals’ organisation, AIIM, recent European data protection regulation changes need to be tracked by anyone interested in storing and managing cloud content.

300px-European_flag_in_Karlskrona_2011Welcome back to the third in our short series of explanatory blogs about all General Data Protection Regulation – or the GDPR – which is all about bringing all 28 member countries under a single regime of rules, with similar penalties for breaches right across the European Union.

Also as I said, our organisation, working in collaboration with respected legal experts Bird and Bird, has produced a report on what all this means for anyone interested in storage, content, the cloud, privacy – which may well be all of us these days, but should be particularly relevant to the DM world, I’d say.

Remember, it’s very easy to get the free download of that study which covers the main issues, but I hope you also find it useful to have them broken down a bit more for you via this blog.

Last time we covered the background to EU data privacy and why Brussels has brought in GDPR, and the threat of high (possibly €100m) fines for data breaches. Now, we need to hone right in on what GDPR means for businesses on a day-to-day level.

As stated last time, the GDPR extends the definition of personal data to include email address(es), the IP address of computer(s) used, and any posts on social media sites. It also covers all organisations operating in Europe – irrespective of where the data is stored.

It also wants organisations to:

Collect explicit consent to collect data from data subjects. The data subjects must ‘opt-in’ and you must always make it easy for the subject if they wish to withdraw that consent.

You must be able to delete all customer data at the request of the data subject – a provision known as “Right to Erasure” – unless there is a legitimate reason for its retention.

You must provide data subjects with a clear privacy policy and on request be able to provide your data subjects with a copy of their personal data in a format that can be transmitted electronically to another system.

Get ready to be able to undertake an annual risk management/analysis, detailing both the risks identified for data breach/loss and steps taken to alleviate those risks.

Establish which is to be the single Data Protection Authority (DPA) for your organisation, which may be in any member state. NB: observers expect the UK and Ireland will be the most popular choices because of the widespread use of English as a common business language.

Appoint a lead authority Data Controller (see our earlier blog ‘The Era Of The €100m Data Fine Is Dawning’ for definitions of what a Data Controller and Processor are) to be responsible for all processing operations across Europe. If you are a public body or an organisation processing more than 5,000 data subjects, then you will also need to appoint a designated Data Protection Officer within 12 months of the Regulation coming into force across the EU.

By the way, the way things are going it looks like that will be around 2016; the rest of 2014 will be about finessing the detail and then member states will have a maximum of two years to put all this on their statute books – which means early 2017 is shaping up to be the latest compliance date that you will have.

Anyway, back to the business of GDPR. You will also need to put processes in place to be able to fully document any data breach, plus be able to notify the appropriate authority ‘without undue delay’. It is expected that the authority will decide whether the organisation should notify data subjects if any ‘adverse impact’ has been determined.

It is also being proposed that the Data Controller and the Data Processor (which could well be a cloud provider) have joint liability for any breach.

And finally, organisations will be able to apply for a EU Data Protection Seal, which will be a 5-year certification of the processes it and its Data Processor(s) have in place.

Sorry for all this detail, but I think it’s worth knowing that GDPR is a lot more than big fines: it will also mean structural and process changes for any company, cloud or not, that works with customer data.

Now we will turn, when we next speak, to the specific recommendations that AIIM wants to make to the market in reaction to all these proposed changes: I hope you will find them useful.

The author is an independent IT analyst with a 30 year plus career, specialising in information management, governance and processes. Prior to working as an analyst – first for The Butler Group, then latterly for Ovum – Mike was an IT Director in the NHS.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s