The new EU data protection regulations are causing quite a stir and will impact not just EU countries but also non-EU organisations.
Just what these impacts will be and how to prepare requires considerable planning so I caught up with data protection and data quality expert Daragh O Brien of Castlebridge Associates to find out more.
Dylan Jones : The EU Data Protection reform looks like it’s growing pace. I noticed in this update [http://bit.ly/eu-dp-memo] that the EU parliament voted on the Regulation and the Directive. What is the difference between the two?
Daragh O Brien: Unlike the current situation where we have a single Directive (95/46/EC) governing Data Protection in Europe, the proposed new regime will create a General Data Protection Regulation (with standardised direct effect across the 28 Member States) and a Directive for Data Protection for Policing and Criminal law enforcement.
The new Regulation replaces the existing EU Directive 95/46/EC whereas the policing Data Protection Directive proposed will replace a Framework decision on data protection in law enforcement taken by the Council of Ministers a few years ago.
The Regulation will have direct effect across all EU28 countries.
It will not require national law to enact it and there will be no scope for local variations in what the law says.
The Directive will be enacted by national legislation and national governments will have a degree of discretion as to how they implement the legislation, which is actually part of the reason the current EU Data Protection Directive is being replaced with a Regulation.
Basically if you are not a law enforcement body who is sharing data as part of an EU-wide policing database, the new Directive will not apply to you and the legislation to be concerned with is the General Data Protection Regulation.
Of course, if you are a systems integrator or a consultant working with agencies involved in policing or sharing of data regarding criminal law matters, the new Directive should be on your radar, as well as the Draft Regulation.
Dylan Jones : One line in the recent memo jumped out at me:
“Ministers broadly supported the principle that non-European companies when offering goods and services to European consumers, will have to apply the EU data protection law in full”.
How will this impact organisations in countries such as the USA who trade with EU countries? Will the new EU regulations go further than the current USA Data Protection laws for example?
Daragh O Brien: The short answer is that yes, the EU laws will go further than US Data Protection laws.
A common misconception is that the US has no data protection laws. The problem is actually the reverse: there are lots of them, but they are often sectoral in focus (e.g. HIPPA) or operate only at State level, and often are tied to the idea of privacy as a commodity to be traded or to a “risk management” perspective on privacy compliance.
The practical implication is that, if an organisation based outside the EU is collecting or processing data on EU citizens it will have to comply with the EU legislation on matters such as the Right to Data Portability, the use of consent in processing versus other lawful processing conditions, data security breach notification, and the need to be able to produce documented systems of internal Governance around their processing of personal data and to produce evidence of the operation of those controls.
This would be tied to the increased penalties that take EU Data Protection compliance out of the realm of time consuming gnat-bite for most organisations to potentially a real balance sheet impacting issue.
I would suspect that during the coming months we’ll see tightening of “Safe Harbour” rules in the US to include a closer focus on documentation of governance and an increase in “evidence based” support for any self-certification regime.
Dylan Jones : What’s your perception of activity on the ground within organisations who will be impacted by the regulation in the EU? Are they recognising the inevitability of the regulation and getting prepared or is it still a case of ‘wait and see’ for most compliance leaders?
Daragh O Brien: This Regulation is the SINGLE most heavily lobbied against piece of legislation EVER in the history of the European Union.
The pendulum has swung a lot during the drafting of this legislation between tighter controls on uses of data to ensure privacy and looser controls to make life easier for industries who work with data.
A lot of organisations remain in denial about what is potentially going to be required, particularly if their Data Protection compliance focus has historically been driven by legal. Lawyers often like to see the final text before advising, and there is still a sense among many commentators that there is a chance for further dilution of the Regulation before it is finalised.
What I am seeing is early adopters deciding to take the “broad brush strokes” of the Regulation as settled and start to make efforts to do the simple things that will be needed to ensure compliance under a more “risk-management” based regime.
Those simple things include:
- Changing culture and mindset about data and data privacy
- Implement a Data Governance framework for Personal data
- Developing KPI metrics to help track potential Data Protection issues
- Look at IT systems and infrastructure to determine how to apply the “right to be forgotten” or meet the needs of the right to data portability
- Looking at their interaction with the customer in terms of how they communicate purposes for processing of data to make sure the customer is better able to give informed consent, or seeking to confirm other lawful processing conditions for data.
Dylan Jones : You’re an expert in this area so what kind of projects have you been helping companies with lately to get ready?
Daragh O Brien: I am just finishing the first phase of a Data Governance roll out with a company that emerged entirely from their response to Data Protection breaches under the current regime. They realised that if these issues were not addressed they would be in a worse position under the new Regulation, and they wisely took the view that this is a two year change programme to get it done right.
We have been tailoring Data Governance training, along with designing and implementing a DG function that ensure alignment of accountability and responsibility for Data Privacy and Compliance outcomes. We are also looking at Data Quality metrics as a mechanism to help provide a “proactive dashboard” for management on a number of Data Protection issues.
My company is also heavily involved in Data Protection Audit and Review projects with a number of clients to assess the “fitness for purpose” of their current governance frameworks and start the process of improving things. We’re actually doing two at the moment.
As part of that work we’ve launched a “Virtual Data Protection Officer” service to support organisations who don’t have the dedicated in-house staff to manage Data Protection obligations day to day or who have the staff but they don’t have the experience.
We’re developing a “one-stop-shop” support service for clients that offers practical services such as redaction of audio, video, or other records, or the definition of policies and governance structures, right up to training of staff and coaching of in-house “Data Protection Managers”.
We have also been engaging with a variety of sector membership organisations for the last few years to raise awareness of what was coming.
I’ve even contributed to the definition of a syllabus in Data Protection Practice for the Irish Law Society that includes a LOT of content on Data Governance and Information Quality practices, and I’ve just finished teaching the second run of that and am about to set yet another dastardly difficult assignment for the students on that course.
One thing that is clearly emerging in a number of clients is a realisation that Data Protection is another aspect of Data Governance and if they can get the holistic thinking in place DP compliance can help drive wider benefits in the organisation. This is EXACTLY what my friend Gwen Thomas was writing about over a decade ago.
Just like with car engine emissions or mandatory seat belts, there are industry sectors who will see this Regulation as “bad for business”. However, early adopters will be able to leverage the clear “Privacy Dividend” that is emerging while being able to implement the required Governance and culture changes over a more realistic time scale.
About Daragh O Brien
Daragh is the founder and Managing Director of Castlebridge Associates.
Daragh has developed and taught courses in Information Quality Management and Data Protection for a number of organisations in Ireland and has provided consulting services across industries as diverse as Health Care, Telecommunications, and Financial Services.
Prior to founding Castlebridge Associates Daragh worked for over a decade for a leading Irish Telecommunications company in roles as diverse as Call Centre operations, Single View of Customer Programme management, and Regulatory Compliance and Governance.
Daragh is a regular presenter and trainer at conferences in the UK and world wide.
Apart from his consulting and education work, Daragh is also an active member of the International Association for Information & Data Quality.
He lives in Wexford in the South East of Ireland
Company Website: Daragh’s personal blog (opinions are his own)
Twitter: Twitter: @daraghobrien