Business Law & Compliance
EU data protection law: 6 discussion topics to consider
10 min read
23 April 2014
New EU data protection laws are coming closer following a recent vote in the European Parliament.
Whilst there are quite a few areas still to be agreed on, and there is strong opposition to the proposed legislation from US Industry Groups, the net impact of the likely changes will be greater legal restrictions on the control organisations have on their data, in terms of its location, security, anonymity and privacy. The vote went through the European Parliament with an overwhelming majority (621 for, ten against and 22 abstentions), which speaks to the extent of concerns about this issue in Europe.
For organisations working to manage the risk exposure of their digital data, this may bring certain issues to the fore. If your business IT applications or sensitive data make use of public or ‘hybrid’ cloud resources, drawing on resources not under your direct management, you’ll need to assess if and how you’re exposed, and whether or not you have the controls you need to achieve compliance with whatever the final law ends up looking like. Given the explosion in enterprise data taking place, this puts pressure on CXOs to work with their IT department to find a way to deliver scale whilst limiting both cost and risk around compliance.
Preparing for increased regulation
Here are six discussion points for CXOs and IT leaders to consider about their Enterprises’ data at all times, but which will be a particular focus if the EU data protection laws are implemented:
1. What is your data?
Defining what your corporate data actually “is” can be more challenging than ever before. It is no longer defined by location, as data frequently leaves company premises on legitimate grounds, for example, travelling through the supply chain or to third-party service providers like printing or marketing firms. Nor is it defined by substance, as data can be “structured data” within the corporate firewall, or “unstructured data,” held outside the corporate firewall and therefore not under the direct control of the enterprise.
Even when still under your direct control, as cloud services become more pervasive, data is likely to be hosted off-site. It already often leaves the premises at the end of each day on employee laptops, tablets and smart phones, which in many cases no longer belong to the company given the increase in BYOD policies (bring-your-own-device).
As it becomes harder to protect all types of data, it becomes essential to classify company data and to decide what level of protection is appropriate to each type, from relatively immaterial information to customer or employee data, commercially sensitive information and trade secrets. Understanding that not all data is created equal and that some will be more sensitive or used more frequently is a requirement for the board to make informed decisions about investments in internal IT infrastructure, and assessing the role for private cloud or external public cloud services.
2. Where is your data?
Probably the most ubiquitous trend in enterprise IT today is the move to cloud systems, giving IT services a very different profile in pursuit of extreme efficiency. Cloud services and cloud infrastructure may be on-premise, delivered from within an organisation’s real-estate, or off-premise, hosted in other locations on behalf of the company. In both cases the data may sit in one or many places, and it may move.
Location matters, particularly in the wake of the proposed legislation, therefore CXOs need to be clear on the legal implications of where data is stored, even if fleetingly, especially if this is in another territory and/or legal jurisdiction and so involves cross-border movement of, for example, personal data, especially in a public cloud. Where data is stored may bring a company into another regulatory regime, for data privacy or financial regulation for example, or put it in breach of local laws.
3. How and where is key data protected?
Protecting data stored on or accessed from tablets, smartphones and USB memory sticks, as well as via traditional computing devices, is a fast-shifting challenge. Protecting data here involves two things. First, ensuring it is secured against malicious attack and accidental loss and second, delivering resilience and recovery in the event of an incident. In both cases there are contractual and regulatory implications which are set to tighten further with this proposed EU legislation.
Assessing these risks and choosing the right mitigation path – redundancy, resilience, recovery – needs input from the business to enable the CIO to justify investment in the appropriate security, backup and recovery services and technologies.
4. How is data stored?
The rise of compact, high capacity data storage devices and the growth of cloud storage services creates the risk of “guerrilla IT” – where employees circumvent technical restrictions either to drive productivity or to deliberately and maliciously gain access to data. This routinely results in confidential data moving beyond the corporate firewall, violating corporate governance as well as, potentially, regulation and local law. Educating employees on the personal and corporate risks that may flow from this is a key compliance obligation which will gain additional prominence as this proposed EU legislation on data privacy regulation comes into force.
5. What big data do we have?
Big data, from one perspective, involves the integration of multiple data sets to create new insights. These data sets may be innocuous separately – and properly created or obtained – but in combination they may allow “net-new” data to be developed which is unexpected and potentially sensitive.
For example, careful analysis of social media activity might provide information that an insurer might consider relevant in offering a customer or group of customers a life assurance product. The legal position of this sort of activity is not always clear and CXOs need to keep an eye on how the proposed EU legislation addresses this, as big data will play an increasing role in how businesses strive for growth in future.
6. Are organisations equipped to meet e-disclosure requirements in all markets?
Cloud changes the context for e-disclosure; in other words the production of information to an opponent and a court over the course of a dispute. Discovery and disclosure laws currently vary across different countries, and the physical location of your data could have significant implications for the jurisdiction that your data may be discoverable in. CXOs need to be aware of any implications from the proposed EU legislation.
As technology continues to evolve and disrupt traditional ways of doing business, both EU legislation and country specific regulations will continue to evolve to keep pace and the entire CXO suite has a responsibility to ensure businesses have a holistic view of their exposure to different categories of risk.
Data protection regulation is one of those issues that bumps IT onto the agenda of the senior management team and the boards of all businesses, and CXOs need to have a collaborative discussion centred on their IT exposure, in order to establish how to mitigate the organisation’s exposure to these issues. Public cloud services, despite their growing hype, aren’t well suited to deliver the levels of control required to minimise risk, particularly in a context of increasing scrutiny on data protection. The risk of exposing customer data unduly, and falling foul of these regulations, is not one any business will want to take.
Steve O’Neill is CFO EMEA Strategic Operations and Senior Director, EMEA Sales Strategy of EMC.