Sunday 22 March 2015

EU Data Protection Tsunami Warning

I attended a couple of data protection conferences this month, I heard a significant amount of naivety about the proposed EU Data Protection regulations. I listened to supposedly expert DP speakers talk about lobbying for changes to the EU regulations, and a general denial that many of the new requirements were actually going to happen, hence my tsunami warning analogy.

UK Business needs to prepare to surf EU DP Regulation Tsunami

Seismic ‘once in a lifetime’ privacy Law Change
By end of this year, or early next year at the very latest, the European Parliament will enshrine into European law the biggest shake up in data protection and privacy legalisation we'll probably ever see in our lifetimes, it is that huge of a deal. Granted it will likely take another two years before it comes into force. 

Today we are standing on the beach, those that look will observe the dark spectre of a tsunami approaching far on the horizon, it is coming in, first we need to accept it is heading to our shores, then we need to accept we can’t change its scale or course, but what we can do is start preparing business for its arrival. 

The warning shot was the “EU Cookie’ law, an EU wide law that no EU citizen actually cares about, but nether-the-less nearly all major UK websites have annoying pop-up cookie banners in order to comply with it. The new EU regulations has some serious teeth by the way of huge financial penalties for any non-compliance with any of requirements, this makes the EU Cookie Law look like a drop in the ocean. Many of the legal requirements go beyond just the protection of personal data, here are a few bullet points of the rough ride in store for UK business in the data protection space in 2018.
  • Regulation Not Directive - This means the requirements are not open to any interpretation by member states (as current DPA laws are) as they pass it into local country laws; as the requirements are written so they shall be done
  • Data Breach Disclosure - All personal data breaches are required to be reported and so publicly disclosed, likely to be within a 48 hours of them occurring. Also applies to data processors, no more hiding behind data controllers for them. Presently only public sector organisations in the UK have to report personal data breaches to the ICO.
  • Major Fines for Non-Compliance - Fines of up to 5% of global annual turnover is enough to rock any boardroom with concern.
  • Data Processor liability - A Data Processor will be on equal par to a Data Controller. This will be a major concern to cloud service providers.
  • The Right to be Forgotten - Businesses must abide by data subject (EU citizens) requests to erase their personal data.
  • The Right of Portability - Businesses must be able to provide any held personal data in a format which lends itself to moving/sharing with other organisations upon the request of the data subject.
  • Data Protection Officer - Most UK businesses will be required to appoint a Data Protection Officer
  • Applies to Non-EEC business processing EU Citizen Data - Even if the UK opt of the EU, UK business which touch European Citizen personal information will still need to comply with the EU regulations. Also means US companies that process EU citizen data must comply as well, no matter where their data centres are, bad news for hte likes of Facebook, Microsoft, Apple and Google.
My point is whether you agree with these regulations is a moot point, some may say the privacy horse has bolted and long left the stable, while others say its high time we turn the tide on our 1984 society. But what is crystal clear water, is the present DPA law is seriously outdated, it was drafted long before the internet and digital data usage took off, so it is difficult to argue that an update to our data protection law is long overdue. Now we can debate whether these changes go too far or are not at conferences until the cows come home, but that's not going to change the fact these major changes will happen and will significantly impact UK businesses, so now is the time to stop debating, take our heads out of the sand and start preparing the business.