Changes to EU Data Protection directives will affect businesses from 2017
From 2017, the new EU data protection directive is enforceable across EU countries. In IT and data implementation terms, a two-year execution period in reality is just around the corner. Data protection and IT security issues often involve some teams to comply with the new regulation. IT, marketing, legal and compliance, management, and business teams will need the road-map and framework to implement business change and new IT projects. Therefore, all companies are now preparing for the practical implementation of the forthcoming EU General Data Protection Regulation.
For nearly a couple of decades, EU data protection laws have remained more or less stagnant, even though considerable technological advances have been made in social media, big ta, and the cloud boom.
The EU Commission will address the gap between law and technology across the region. A new draft is published on the EU data protection law, called the General Data Protection Regulation, when the three EU IT compliance bodies have agreed on a final version.
Company decides how personal data is used.
All European businesses have to consider and plan for the new generation of IT and data compliance regulation to address the increased scope of the directive. The primary departure is that in the current regime, data protection laws only applies to data that directly identifies an individual together with the data that identifies an individual when combined with other information held by the data controller o the database.
Therefore pseudonyms, IP addresses and other unique reference numbers would not be personal data, unless the data controller combines them with other personal information, e.g. e-mail addresses, o other references that can identify the data to an individual.
Any unique identifier/pseudonym is private data.
Under the new regulation, all data that identifies an individual, whether directly or indirectly will be in future considered as personal data. There is no longer a requirement for the company to hold another database for re-identification personally
Businesses that use pseudonymous data to circumvent the need to comply with EU data protection laws should expect the regulation to affect many more businesses and several databases than before.
Pseudonymous personal data.
There is, however, an outside chance that less rigorous compliance requirements will be applied to pseudonymous data if it is a subset of personal data. However, the same conditions as "standard" personal data will be applied to all databases.
To prepare for the new regulation, all IT officer should start reviewing the types of data held in their databases, then classify the data sets and subsets into sensitive, personal or pseudonymous data. Moreover, those who want to cut corners they could reclassify the pseudonymous use data over personal data. The benefits, however, will be short-lived I relation to future global data protection compliance requirements.
To learn about the issues covered above attend the IT workshop on IT-governance, digital forensics, cyber crime and cloud computing at The 9th annual European GRC Summit in Stockholm
http://www.copenhagencompliance.com/news/issueXXI/EU_data_protection_directives.php