For Mike Davis, author and spokesperson for independent global information professionals’ organisation, AIIM, recent European data protection regulation changes need to be tracked by anyone interested in storing and managing cloud content.
Welcome back to the fourth and last in our short series of explanatory blogs about General Data Protection Regulation – or GDPR – which is all about bringing all 28 member countries under a single regime of rules, with similar penalties for breaches right across the European Union. Also as I said, our organisation, working in collaboration with respected legal experts Bird and Bird, has produced a free to download report ‘Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud’ on what all this means for anyone interested in storage, content, the cloud, privacy – which may well be all of us these days, but should be particularly relevant to the DM world.
In the first three blogs of this short series, we introduced the topic of GDPR, set a bit of context in terms of history and then looked at some of the specific features of the proposals, which do, yes, include big scary fines (5% of turnover or a €100m maximum fiscal penalty), but which actually also cover a lot more than that, in terms of new definitions of roles like Data Controller and Data Processor, as well as new reporting obligations.
In this last post of this series, we now need to finish our review by drilling down into what we think the industry needs to do about GDPR – more specifically for anyone using cloud services to store data (or which are seriously intending to):
Here are our recommendations, firstly, for end-user organisations:
Be aware of the respective countries within the EU that the personal data of data subjects originates from: and until GDPR comes into full force (expected to be early 2017), follow the current legislation in the country the subject lives in (e.g. the UK or Germany) with particular awareness of what that local legislation says about the transfer of such personal data across borders.
Be very sure if any of your existing cloud data processes falls foul of current legislation – and if it does, immediately seek to work with the respective Data Protection Authorities to resolve the problems.
Review all your contracts with existing data processors to ensure that they are compliant with current legislation – while also creating a process to set up fully GDPR compliant strategies in each country you’re operating in.
Set up procedures now to start securing explicit consent for the collection and processing of personal data in preparation for the implementation of the Regulation.
And now here are our recommendations for all data processors providing cloud services, which could well be you:
Review the physical locations of your data centres so as to ensure that they are not currently processing personal data outside the boundaries set by individual country legislation (this is pre GDPR, obviously).
On that basis, decide whether you need to establish data centres within the European Union/European Economic Area or other areas with adequate levels of protection in preparation for the Regulation.
Do the work now to set a compliant strategy for the company – in each geography you work in, so inside and outside of Europe if you operate there – in preparation for the requirements of the Regulation.
Finally, very much last but not least, educate your sales and technical staff on the implications of the GDPR and amend contracts and provisioning appropriately.
The bottom line is that GDPR is coming, it will bring in big changes in how Europeans’ data can be collected, stored and protected – and that anyone in the cloud sector, as well as any company storing customer data, really does need to do that.
Don’t think 2017 is a long way off, either (Our report contains information on local European data law for 13 EU member states, data that you might find useful for evaluating your current exposure and obligations pre-GDPR.) It really will happen sooner than you think!
So it only remains for me to say good luck with your preparation for the Regulation!
The author is an independent IT analyst with a 30 year plus career, specialising in information management, governance and processes. Prior to working as an analyst – first for The Butler Group, then latterly for Ovum – Mike was an IT Director in the NHS.