Last week, the European Union agreed on proposed Data Protection Regulations that potentially impact all organizations that either use or process the personal data of EU citizens. There will now be further discussions before these become law, but for the first time these will be regulations, rather than policy; which mean that different EU member states will have little room for interpretation in how they are applied.
This has implications for IT service providers, SaaS providers or cloud providers, and for their customers. Under the current policy, third-party organizations who store data on behalf of others, have limited responsibilities as “processors” rather than “controllers” of data. But under the new proposals, individuals will be able to seek legal compensation against any organization they believe has misused their data and against any third-party that processed that data. In addition the EU may be able to fine those who breach the regulations, with a maximum possible fine of two percent of their global turnover.
In practice this will mean that the safeguarding of personal data will become even more important; and that organizations will have cover their diligence into investigation of the controls and processes deployed by any third party they trust to process data on their behalf. Businesses must now implement “privacy by design”; how this will work in practice is still being debated, but with increasing amounts of sensitive data being available online, companies will be expected to be more aware of and better able to implement privacy into their IT platforms and into any outsource relationships.
Larger processors of data will need to appoint a Data Protection Officer and they will need to evidence transparent processes that deal with:
In turn this means that businesses engaging with service providers should determine that these
Appropriate tools to ensure the physical and sound security of their data; ranging from secure data centers with appropriate access controls, through to consistent controls like firewalls, web application firewalls, intrusion detection or file integrity monitoringpartners have: