I was recently invited to speak at a conference about data security – not the most exciting of topics you might say! However, recent high profile security breaches at TalkTalk and Ashley Madison, and planned European Union regulatory changes mean the topic is, or should be, on the agenda in every boardroom throughout Europe (and almost certainly wider). However, according to statistics, more than 80% of IT leaders reply “what planned EU regulatory changes?”!
Current EU legislation was passed in 1995, well before anyone had heard of Google (1998), Amazon Web Services (2006) or Dropbox (2007), and is only a directive, with the responsibility for individual countries to implement appropriate laws. As a result there is no common legislation, and indeed there are huge variations in how data protection and privacy laws are interpreted.
So the EU has recognised this problem, and for the past few years has been working on something new. In January 2012 the General Data Protection Regulation (GDPR) was unveiled. This is a regulation, NOT a directive, so it will be mandatory. The timescales are for final approval in late 2015/early 2016, with a 2-year window for all affected companies to be compliant. So what does it cover?
The GDPR is focused on EU citizens’ data security AND data privacy, irrespective of where the data is processed. So if you do business ANYWHERE in the European Union, and store ANY customer data, then this regulation will affect you. And failure to comply will lead to financial penalties far in excess of current fines – up to €100M or 5% of global turnover – whichever is larger!
So if you haven’t started planning yet, you better get the thinking cap on. In terms of what you need to consider, there are probably four main areas in relation to personally identifiable data:
- Data security: encryption – you must restrict access to personal data and maintain logs, so encrypt everything!
- Data privacy: consent – the individual’s consent to use data must be obtained and cannot be the ‘default’, or requested in a confusing or implied way.
- Data privacy: portability – you must be able to provide an export of ALL an individual’s personal data on request.
- Data privacy: the “right to be forgotten” – you must be able to delete ALL of an individual’s data, apart from what is legally necessary.
The good news is that for Lexis Visualfiles, we have already been working on these requirements. The toolkit nature of Visualfiles already allows you to export data and delete data via the scripting language. This is particularly important as the nature of Visualfiles is that no two systems are the same. We have also been working with our technology partner, Progress, on how we can support the data security requirements, and we have documented how this can be achieved.
Changes are afoot, and it’s vital that you start planning for how your systems and processes will ensure you don’t become the next TalkTalk!