I welcome news that a common set of privacy standards are to be applied to organisations across the entire European Union for the first time – as well as a gameplan that includes immediate notification of breaches and other ‘data misplacements’.
The new rules are an excellent balance between the very real data privacy needs of citizens against the practical issues of managing data within the modern corporate environment.
Notice I said practical issues. Many IT security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to their growing data stores. While these concerns are understandable, the reality is that with the correct technology in place – these issues can easily be solved.
Many organisations have been struggling with non-existent or limited permissions management, classification, and auditing capabilities included with their data stores, but new Metadata framework technologies can provide intelligence, automation, and control across multiple platforms to allow C-level executives to sleep easy in their beds at night.
The introduction of a single set of privacy standards for all EU territories is long overdue, although he notes that the migration to the new rules may be a complex process for some multinationals – and those firms who are pushing into new countries for the first time.
The key issue in the new rules that made me sit up and take notice is the requirement that any company maintaining personal information – be that customer records, internal human resources directories or any other list – will have to comply with the new rules, and be able to show how and why they are using personal data.
There have been some fears that the planned five per cent turnover penalties were too high. While a two per cent maximum will please many industry onlookers, it will still act as a very positive deterrent for any company thinking they can simply hope for the best with their actual data protection systems.
One area that I particularly welcome is the requirement that companies that misplace any personal information must immediately notify the regulatory authorities – and all concerned parties – as is the additional requirement for companies with more than 250 staff to appoint a data protection officer.
This latter requirement is excellent news. The appointment of a data protection officer will help focus the attention of many more companies on what has become a major issue for everyone in this digital age – and help ensure that the vast majority of firms do a lot more than simply pay lip service to the new regulations.
The application of the rules to non-EU entities – especially those in the US – that want to offer their goods and services into the EU – is also to be welcomed, as it helps to balance parallel requirements under the US Sarbanes-Oxley governance rules, for example.
Yes, there will be a lot of moaning and groaning about the new rules, but I predict that – as we have seen with the PCI DSS governance rules – after a short while, they will become the accepted business practice and part of the data protection and management landscape. And that is a significant move forward for everyone.