Why you can’t wait for the EU General Data Protection Regulation – Part one

The EU Data Protection Regulation aims to create a total reform of data protection legislation throughout Europe, in an effort to improve online privacy rights and boost the digital economy. Currently known as the EU Data Protection Directive, the EU Data Protection Regulation will immediately be binding in all of the EU member states when it comes into force.

It is not just data – it is about individuals.

All data that could be considered personally identifiable data (PII) requires protection under the proposed law.  PII can be seen as any data that could identify an individual in some way.  PII could even be an employee’s birth date, the address of a customer, individual voice recognition information or a person’s DNA. It could be exposed because an employee left an unencrypted laptop on a bus, or because an HR officer neglects to shred paper-based spreadsheets of information about staff.

What is the current progress of the Directive?

At the moment, it is still a directive because the law has not yet been passed.  Although over 3,000 changes to the current Directive have been requested from different member states, experts anticipate that it will be finalised and passed by the end of 2014.

It is expected to take two years from being passed before the law finally comes into force, but this is still speculation. Nothing in the Directive states that it will definitely take two years, and it could very well be enforced sooner.

Organisations must prepare now to meet the requirements of this tough new law.

Companies that believe they are compliant with the Data Protection Act in the UK do not by default meet the stringent new requirements of the proposed Regulation. Elements such as the right to object to data being processed, the processing of data related to children, procedures for providing privacy notices and accountabilities of the data controller are just a few items that pose big changes in data protection regulation.

You have to start acting now

Those in the know agree that no company or business entity can afford to wait.  You cannot think that you will deal with the implications of protecting your PII only once the legislation comes into force.  Even though the law has not yet been passed and the details of the proposed Regulation have not yet been finalised, legal experts concur that a large amount of generic work can, and should, be done in advance.

Research conducted by Trend Micro shows that 32% of companies do not have a formal process in place to notify customers in the event of a data breach. The impending Regulation stipulates that customers must be notified of a data breach without undue delay and the applicable regulator must be notified within as little as 24 hours.

What types of businesses will be affected?

Almost every business will be affected – those in the public sector, private sector, small and large companies alike. In fact, any entity that stores or processes personal data will be affected.

Which divisions will most likely be affected?

Although every staff member will be required to be aware of the requirements of the regulation, the departments that will have the biggest impact are likely to be the HR, Operations, IT, Facilities Management and Legal departments.

What can you do to start preparing?

Ensure your data protection policies and procedures are up to scratch. Attend IT Governance’s Privacy Impact Assessment workshop; read the ICO’s analysis of the proposed EU General Data Protection Regulation. Compliance with data protection regulations can be made easier with a toolkit that takes the hard work out of trying to do it yourself.