In a blog at my employer’s site I looked at how to become compliant with the EU’s General Data Protection Regulation. Regulations are the Law in all the member states, and members of the European Economic Area. The article looks at the issues of consent, the new data subject rights, privacy by design, the meaning of adequate protection and new public accountability via the duty to report breaches and to appoint a professional data protection officer.
The Law updates the 1995 Data Protection Directive, it became Law in May 2016 and has a two year period allowing time for businesses and regulators to prepare. The Law is coming to the UK no matter what happens over Brexit, if for no other reason than that UK businesses will find it very hard to export into Europe unless they comply with the new Law; it is also an area that the European Union can effectively sanction any states that seek to ignore or subvert the law.
The axiom that personal data cannot be processed without permission and can only be retained while consent is granted and for the purpose that consent has been granted remains in place. These rights have been extended. I believe that the “right to be forgotten” while it impacts search engines in a unique fashion, which has been explored at great length elsewhere is a minor emphasis on the obvious corollary of the withdrawal of consent. Data Processing can only occur with the explicit consent of the data subject and only for as long as the consent is granted. Data must be deleted when consent is withdrawn and so there is a right of erasure. More excitingly is the right of freedom from algorithmic processing specified in Article 21.
I explore the impact on systems development life cycles and Requirements Management of the need to perform privacy impact analyses and the possible need for the private sector to learn from the public sector in order to meet the needs of the Private-by-Design clauses in the law.
The need to take adequate technical and organisation measures to protect the availability, confidentiality and integrity of personal data also remains. I suggest that the use of best practice standards such as ISO 27001 and COBIT will become pervasive, at least for larger organisations.
The article concludes with a look at the new public accountability requirements: the continued need to register as a data controller/processor, the obligation to report breaches and to appoint a Data Protection Officer.
This article has been backdated to about the time it was authored; it got lost in the kippel warp.