The first EU Data Protection Directive was written in 1995 but a new, stronger regulation is being developed to take into account vast technology changes of the last 20 years. The plan is to finalise the regulation this year and implement it in 2017.
As with any regulation, the current draft could change. However, only minor changes were made between the last two drafts, despite lobbying attempts, and the latest version is possibly as close to final as we'll see. Below are 10 of the most important elements European organisations should take away from the current draft, to help them prepare for 2017.
This is a regulation, not a directive
The terms regulation and directive are often used interchangeably, but they are very different. A directive is implemented and enforced by individual countries but regulations become law without change when they are passed. The current EU data protection directive resembles a patchwork of slightly different laws across Europe but the new regulation will be implemented in all 28 countries.
Data processors will be held responsible for data protection
Under the directive, any data "by which an individual can be identified" was the sole responsibility of the data controller, ie the owner of this data. Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties such as cloud providers. Put simply, anyone who touches or has access to your data, wherever they are based, is responsible in the case of a data breach. The ramifications of this are pretty broad. Third parties will need to be extra vigilant when it comes to securing the data of others, and data owners will want to thoroughly vet their partners.
With the new regulations in mind, organisations should think about reviewing their third party contracts now. In the case of cloud providers seriously consider having, as part of your contract, the ability to carefully review their procedures and even facilities to make sure they are up to scratch. Many cloud service providers, especially those based outside the EU, may not believe that the regulations apply to them, it is clear that they will.
The regulation has global ramifications
Don't let the terms 'EU' or 'Europe' fool you, the new regulation affects every global organisation that may have data on EU citizens and residents. Reputational damage is also a key element of a data breach and the new regulation is likely to harmonise 'naming and shaming' policies across each country. For instance, in the UK, the Information Commissioner's Office issues press releases when organisations are sanctioned at the moment, whereas some other countries are currently fairly "light touch.
Sign up for CIO Asia eNewsletters.