Have you heard of the EU’s new General Data Protection Regulation?
A fair few in the channel might have caught something about it but not given it much thought. After all, it’s still years away, it’s happening in some dusty old room in Brussels and it is, quite frankly, pretty dull. But the truth is this new framework - which will be implemented by goverment across the EU - will bring about the biggest change to data protection in the UK in nearly two decades, and as such affects virtually all of the IT channel.
More ReadingAs-a-service army lays siege to Microsoft partner gigData breach notification bill misses deadlineSteelie Neelie: One cloud contract model to rule them allBone up on fresh EU privacy law - or end up in the clink, IT biz warnedUK biz baffled by Reding's planned data protection law rewrite: ICO
Those who don’t give it enough attention in the next 12-24 months could find their business fined 2 per cent of turnover or even end up in the slammer. Those kind of penalties, while among the most severe being considered, should focus the mind a little.
So exactly what’s going on and why should you care? Well, luckily enough I sat on a panel at the Cloud World Forum at the end of June discussing exactly this topic. When it is passed, this data protection regulation will apply directly and immediately to UK firms – unlike an EU directive it will not require legislation at a national level to implement. The good news is it is unlikely to land until 2014 or 2015. The bad news is that if you haven’t thought about it yet, there’s potentially a lot to consider.
At its most basic level this rule is about imposing greater accountability on those who store and transmit citizens’ data – so managed and cloud service providers will probably be most affected. One of the key elements being discussed is mandatory data breach notification requirements. These will compel any organisation that has suffered a breach over a certain threshold to notify, so service providers better start working out a process for doing so, which parts of the organisation to involve, and assessing whether their security is adequate.
The new regulation is also likely to bring in concepts such as “right to be forgotten” and “right to data portability”. These aim to put more power in the hands of the individual, to have any data on themselves be completely erased from a service provider’s systems, and if required to have it ported to a new provider. Needless to say this could be onerous in the extreme and will require careful planning in data collection, classification, storage and destruction.
Data transfers across borders will also be addressed, effectively penalising any firm which sends customer data to a country where protections are not comparable with the EU. This will provide much needed clarity on where cloud data resides but it also impacts outsourcing arrangements and should be cause for channel firms to take another look at how secure their customers’ data is.
This sweeping new regulation will not only directly affect cloud and managed service providers and vendors but also, by implication, any channel partner of theirs. So, it’s time for the channel to get smart about knowing which questions to ask of their vendor and service provider partners - and to tighten up internal data security measures. Many are still only paying lip service to security.
In the end, this is the EU’s belated attempt to catch up with the technology trends of the past 15 years. It’s data protection for the cloud computing age, and for that it should be welcomed, but given that lawmakers are far behind in crafting such a response, there’s really no excuse not to be on top of it by now. ®