The EU’s first controls for protecting personal data came at a time when it had long been assumed that it was bad business to not observe confidentiality of data. In cases where regular data sharing occurred in ways that contravened current legislation, the damage that could have been done then – compared to now – is vastly different. We have come from a period where we hardly ever created data about ourselves, to a point in time where we create more data about ourselves in a single week (or in a day) than we once did in a lifetime. Much of this data is stored online and held by service providers that may reside in jurisdictions outside our sphere of control.
The European Union has had two iterations of Data Protection legislation. Since the last one in 1995, however, the digital world has changed so much that businesses relying on personal data are currently being valued at levels much higher than other traditional manufacturing businesses. This being the case, now is a good time to reshape past initiatives whilst looking at the future of facilitating good practices. These good practices involve putting control back into the hands of the person whose data is being processed.
Not only is now the best time to regulate, but now is also the best time to set a vision that would create greater competition in business, and at the same time, greater co-operation in law enforcement to catch criminals who take advantage of businesses with lots of person data records and ineffective security controls.
In the last few weeks, several internet-based firms have announced that they are able to partition their services on a per-country basis; this would not have happened without the events of the past year, including both the ‘Arab Spring’ and the riots in London. Being able to provide a partitioned service is beneficial for companies such as Twitter, ensuring that it is not restricted from a single country.
| "Now is the best time to set a vision that would create greater competition in business, and greater co-operation in law enforcement" |
So, here enters the proposed changes to the EU Regulation on Data Protection. To be useful to EU citizens, past mistakes were examined as well as the desired outcomes for individuals. The Regulation does cover many issues, but here I will discuss a few of the most noteworthy.
First, the revisions consider clarification of definitions, with the most important relating to consent. The clarification provided is that consent must be explicit, so that there is no room for doubt as to what is meant. The significance of this proposal is that courts across Europe will no longer have to interpret consent.
Second, although there are separate Articles for Transparent information and communication, the rights to be forgotten, to data erasure, and the right to data portability are, I believe, related from a business perspective. Transparency refers to being clear about processing of the data provided; data erasure and portability are as obvious as they sound. All of these can be viewed as business advantages in the same way that Twitter, Google and Facebook have had to make changes to continue operating in the countries of their choice – it’s just a cost of operation.
Further, I believe that if these revisions are viewed positively by industry, then we may see several standards for different types of data to facilitate portability, in the same way that there are standards for data portability in office-type documents with the Microsoft and Open Office formats. Viewing personal data as something that belongs to the individual – to be used to select between different service providers – will create greater innovation and competition. Of all the proposals in the regulation, the data portability section is one that requires the greatest changes and investment, in that existing data models in applications will need to be amended retrospectively. However, it is equally the one change that will create the greatest opportunities.
Greater portability assumes that the data controller knows where all the data relating to an individual resides, and if this is true, controllers will also be able to provide the facility to delete all data relating to an individual that no longer needs to be held. For example, data that has to be held for financial purposes may still be kept, but all other data involving unrelated activities can be deleted without any problems. I do see that an unintended effect of data portability could also mean that hackers and criminals are able to take advantage of such functionality and steal all data belonging to selected individuals. However, before the portability option is offered, there will need to be more-than-adequate safeguards in place. Again, I believe this is an opportunity that shouldn’t be missed.
Finally, the proposed data breach communication article specifies that notification be within 24 hours of a breach. This raises the bar for security, and shifts the power balance from businesses that make excuses to one where businesses are accountable for the loss of information.
So, in the end, the proposed changes offer business opportunities. More importantly, they require organizations to be more accountable to the people who entrusted them to safeguard their information.
| Sarb Sembhi is the director of client service for security consultancy Incoming Thought, and he serves as chair of the Security Advisory Group of ISACA’s London Chapter. Sembhi is the founder of the International Secure System Development Conference, and a member of Infosecurity magazine’s editorial advisory board. |
For a different perspective on this topic, read our accompanying editorial by Marco Cremonini