Learning from the European Union Data Directives on Privacy

It was welcome news that a common set of privacy standards are to be applied to organizations across the entire European Union (EU) for the first time - as well as the game plan that includes immediate notification of breaches and other "data misplacements." The new requirements are sure to create a lot of moaning and groaning back and forth across the pond about the new rules, but - as we have seen with the PCI DSS governance rules - after a short while, they will become the accepted business practice and part of the data protection and management landscape. 

This marks the first significant update of data protection legislation since 1995, therefore it is well overdue. The measures are being finalized within the European Commission (EC), so some of the fine detail is still to be revealed and they will have to be approved by the national governments. Some, particularly Germany, will be reluctant to lose out on privacy matters to Brussels, and it will likely take 2-4 years before the measures come into effect.

Despite the economic problems which made international headlines in the last few months, Europe remains a vital market for North American companies. It is a staging post for the Middle Eastern and African markets and London is still one of the most important financial capitals in the world. The United Kingdom coalition government has led the way in fiscal probity for Europe. However, Europe does have a habit of making things difficult for itself and the new laws have been viewed by some as falling into this category.

The proposals are designed to significantly increase the EU's powers to punish those who allow major data breaches to occur or who sell customer data to third parties without authorization. They also aim to further protect information held by social networks and cloud computing services. Organizations will have 24 hours to notify the data protection authorities and the affected parties in cases where private data has been compromised. By making sure that the rules apply also to foreign groups' European subsidiaries, the new rules will force global companies to strengthen their data protection policies. All companies with more than 250 employees will have to have dedicated staff to deal with data protection issues. The rules will give the EU similar powers and policing privacy to those it wields in competition matters - where it can impose fines of up to 10% of turnover for violations.

In an early April teleconference between members of the EC in Brussels and the U.S. Department of Commerce in Washington, EC vice president Vivian Reding suggested that the U.S. copy the EU's approach - one which could imply a heavier hand. Reding said that the aim of meetings between the commercial regulators for the two governments was nothing short of "regulatory convergence" - suggesting that they should come to an agreement on the language of the respective laws governing how ISPs and content providers handle personal data protection. She said that it's up to Washington to catch up with the "gold standard" that Europe has already set. So while Europe and Washington battle it out about the respective effects of the U.S. Patriot Act 2001 and adequate levels of protection for European data and American data centers, U.S. organizations doing business in Europe will have to establish mechanisms to comply with this new law.

So, should people be horrified by European bureaucracy or beat the drum for watertight data protection? Upon review, it is evident that the new rules are an excellent balance between the very real data privacy needs of citizens against the practical issues of managing data within the modern corporate environment.

Many IT security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to their growing data stores. While these concerns are understandable, the reality is that with the correct technology in place these issues can easily be solved.

The U.S.-EU Safe Harbor program has been created as a way for U.S. companies to comply with the EU data protection directive. This program allows companies which are certified with the Safe Harbour principles to process EU personal data even though the U.S. has not met the EU's privacy protection adequacy standards. The Safe Harbour principles reflect the seven fundamental principles laid out in the EU data protection directive. They are 1) notice 2) opt-out choice 3) restriction on onward transfer 4) security of data protection 5) preservation of data integrity 6) individual's right to access, and 7) effective enforcement.

Many organizations have been struggling with non-existent or limited permissions management, classification, and auditing capabilities included with their data stores, but new metadata framework technologies can provide intelligence, automation, and control across multiple platforms to allow C-level executives to sleep easy.

Surely we do not need the threat of legislation to ensure that we remain compliant? Sensitive information should only be accessible to those that absolutely require access. But just how many companies actually have the security procedures in place to enable this to happen? Not many is the truth. What happens in practice is that many IT departments face significant challenges keeping authorization up to date - making sure the right users are in the right groups and the right groups map to the right data resources, like folders, sites, and mailboxes. This is essential as users move through an organization, changing roles, requiring access to more and more data. Unless the processes to grant, review, analyse, and revoke access are automated, content is automatically inspected to look for sensitive data, and access is monitored and analyzed, the organization will be unable to maintain correct authorization, and unable to monitor access activity to look for likely threats.

The problem of the rise in unstructured data, i.e., the data which is increasing dramatically in everyone's corporate network, is one which has to be faced head-on. As far as unstructured data is concerned, the introduction of a single set of privacy standards for all EU territories is long overdue. The fact that this will be a complex migration for some multinationals - and those firms that are pushing into new countries for the first time - is one which we should see as a welcome opportunity and not a dreaded challenge.

The key issue in the new rules is the requirement that any company maintaining personal information - be that customer records, internal human resources directories, or any other list - will have to comply with the new requirements, and be able to show how and why they are using personal data. This is something which is a service to the customer anyway, and should already be in place in any well-organized company. Another controversial aspect of this legislation is the "right to be forgotten" which means that companies cannot just keep information they have finished with, and have no legitimate right to use any more, in their infrastructure on pain of being heavily fined.

This highlights the difference between U.S. data laws and European data laws. While data protection requirements in the U.S., according to a September 2011 Forrester Research, Inc. report ("Q & A: EU privacy regulations" written by Chenxi Wang, Ph.D.), "... are commonly industry-centric those in the EU focus more on the individual's right to privacy. This leads to a number of differences in how data should be handled in the EU versus the U.S., especially in transferring data between countries with varying regulatory standards."

There have been some fears expressed that the planned 5% turnover penalties are too high. While a 2% maximum will please many industry onlookers, it will still act as a very positive deterrent for any company thinking they can simply hope for the best with their existing data protection systems.

The new regulations' mandate for the appointment of a data protection officer will help focus the attention of many more companies on what has become a major issue in this digital age - and help ensure that the vast majority of firms do a lot more than simply pay lip service to the new regulations.

The application of the rules to non-EU entities - especially those in the U.S. - that want to offer their goods and services in the EU is to be welcomed, as it helps to balance parallel requirements under the U.S. Sarbanes-Oxley governance rules. U.S. companies cannot expect to get special treatment on mainland Europe. Senior management may well be on the high wire, but, as they look down, they will look down upon the happy and contented faces of customers whose information is safer.

About the Author:

David Gibson is director of strategy at Varonis Systems.