Are You Prepared for the EU's New Data Protection Regulation?
Cloud Service Providers Would Feel the Impact
One of the new provisions most likely to affect non-European businesses attempting to do business in the E.U., or European businesses seeking to use non-European cloud service providers, revolves around data transfer to non-E.U. countries. The extant data protection laws already prohibit data transfers to countries outside the E.U. that don't have data protection laws of the same strength as the E.U.'s laws-the U.S., for instance--unless specific compliance steps have been taken.
"Prospective E.U. customers of SaaS services face significant legal hurdles if they wish to make use of third-party vendor software that runs through a Web browser and involves the hosting of the customer's data-including personal data-outside Europe," Graham Hann and Sally Annereau of Taylor Wessing wrote in a white paper commissioned by VMware and Ospero. They noted that the hurdles include security rules for diligence and oversight of outsourced processing, rules restricting exports of personal data outside of the E.U. and threats from overseas regulator 'long arm' requests for personal data.
"Concerns about the difficult in overcoming these hurdles, worries about compliance risks leading to regulator enforcement litigation and damage to reputation, coupled with uncertainty about the future shape of proposed E.U. law protecting personal data, has made E.U. business wary of switching to cloud-based SaaS solutions hosted outside of Europe," they say.
The proposed legislation would give organizations more options for dealing with this prohibition, specifically with regard to binding corporate rules (BCR), which govern multinational businesses.
Ospero's Currill says that he's in favor of the new legislation because it will give companies one set of regulations they must adhere to rather than the many different laws currently in place. Ospero has, in fact, already positioned itself to prosper from the E.U.'s data transfer laws by taking a cue from the physical world's warehouse distribution model.
"A lot of these issues kind of go away if you just embrace the local culture that you're trying to do business in," Currill says. "The pitch to a German, to a French person, to an Italian, they're all completely different. The simplest thing to do is to embrace the local jurisdiction and embrace the local customer."
To do that, Ospero is marketing its data centers as "compliance hubs" that allow customers to operate in a country without the compliance issues involved in data transfer. Essentially, Currill says, customers host an image of their application in an Ospero data center in the country in which they wish to do business, while Ospero manages the data and the application without it ever leaving Europe.
The new legislation would also put strict restrictions in place with regard to consent requirements. It would require that consent for the use of PII be obtained in advance on an opt-in basis before it could be used, and would require parental consent for individuals age 13 and younger.
It also mandates data portability, giving individuals the right to demand that an organization transfer any information about them to a third-party organization in a format determined by the individuals.
Under the new legislations, organizations would be required to prove they undertake regular data protection audits and privacy impact assessments. Additionally, all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals and all public authorities would be required to formally appoint a data protection officer (DPO).
"The data protection officer must be empowered by the organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so," say Bäumer and Ostermann. "The E.U. regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organization has adopted good data governance policies and procedures."
The new legislation would also obligate organizations to notify data protection authorities of data breaches within 24 hours of discovering a breach, or to explain to authorities why it is not possible to provide full details of the breach.
To give teeth to the new legislation, the E.C. has proposed hefty fines for non-compliance. A provision would allow national supervisory authorities to send a warning letter for first offenses, but serious violations (like processing sensitive data without an individual's consent) would allow those supervisory authorities to impose penalties of up to ¬1 million or up to 2 percent of a company's global annual turnover.
Bäumer and Ostermann recommended a number of steps that organizations can take to prepare themselves for compliance with the new regulations.
Implement Good Data Protection Governance Measures
They recommend that organizations review their policies and procedures to ensure they reflect a serious focus on data protection issues.
"An organization's policies and procedures are a key benchmark against which its compliance is judged by regulators," they say. "The thought that has been given to both indicates how seriously data privacy compliance is taken. Information provided in policies, whether staff or customer facing, and the practices which they encourage are also at the heart of achieving compliance with two frequently breached principles of data protection law, namely: data security obligations which require "appropriate technical and organizational measures" to be in place to prevent data loss and unauthorized access to data (in other words, companies need to be well organized when it comes to information security); and knowledge/consent obligations which require an organization to inform its staff, customers and suppliers what data it processes about them, and what it uses that data for (again, internal and externally facing policies provide a key mechanism for supplying that information)."
Bäumer and Ostermann also recommend regular and well-thought-out training programs for staff that handle valuable data. In addition, they recommend organizations make a point of taking compliance seriously by running regular audits and privacy impact assessments before introducing any new significant data processing activities.
With regard to data transfer compliance, Bäumer and Ostermann recommend adding an assessment of an organization's data transfer compliance to any compliance review of potential third-party partners. And because organizations are responsible and liable for the compliance acts and omissions of their suppliers, they recommend organizations adopt four mitigation measures, as follows:
- Encryption. One of the first steps regulators often take following a data breach is to require the adoption of encryption technology. Organizations can sidestep the expense and difficulty of implementing encryption on short notice by implementing it now.
- Service levels. The data protection laws require companies to have strong written service levels in place with suppliers that are given access to PII. Bäumer and Ostermann note that regulators will look poorly on companies that suffer a data breach if they do not have strong SLAs in place.
- Data breach notifications. Some European countries already have data breach notification laws in place, and some sectors (like financial services and telecom) are also already broadly subject to such laws. But the new legislation would extend those requirements to all organizations in the E.U. Bäumer and Ostermann recommend company management determine whether their organization is ready to meet the new requirements.
- Supplier due diligence. They note that in the event of a security incident, regulators will look closely at the pre-contract due diligence undertaken on the supplier. Regulators are likely to look more favorably upon organizations which undertake such due diligence.
The new legislation would update the existing E-Privacy Directive to require that opt-in consent be obtained before implementing any device or Internet usage tracking technology. Bäumer and Ostermann say that the biggest challenge many businesses would face is how explain and obtain consent for the usage of such cookies or other tracking technologies without putting off visitors to their Websites. They recommend companies undertake an audit of their cookies and other tracking technologies to assess what they are used for and why. In addition, they suggest companies review their privacy policies with regard to tracking technologies and present notices to users.
Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org