Changes in European Data Protection Regulation: A look at the GDPR

Overview of the EU initiative to simplify data protection in 2015

The draft General Data Protection Regulation (GDPR) is due to be passed through European Parliament. It will impact any organisation that gathers, processes and stores personal data. TechRadarPro speaks to Loic Triger of Ipswitch to determine what difference the GDPR is likely to have on businesses and organisations in 2015.

TRP What is GDPR?

LT GDPR stands for General Data Protection Regulation (GDPR) and is part of Article 8 of the European Convention on Human Rights. It is currently a draft regulation, due to come into effect in early 2015, designed to unify and simplify data protection across the 28 member countries of the European Union (EU).

The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.

The proposal for the GDPR was released in January 2012 and the EU is said to be planning for adoption over the coming few months. It is not yet final.

TRP What problem is it designed to address?

LT The regulation is designed to address blurred lines around the protection of personal data. It is expected to address globalisation and developments in how we use, share and store data. For instance, it will tackle data protection in relation to social networks and cloud computing, including secure file transfer and the right to be forgotten.

The draft GDPR is very specific that personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer's IP address. There may be an exception for employee data, which could be subject to individual country regulations.

TRP How are organisations currently reporting data breaches? Does it vary by country?

LT Each country currently has its own Data Protection authority. In the UK it is the Information Commissioner's Office (ICO). Because the current GDPR draft is a regulation rather than a directive, it means it will directly apply to all EU member states without any national changes in legislation. There will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based.

The GDPR will have a significant impact on non-European companies that operate in the EU. The GDPR will make the law apply to non-European companies that trade in the EU as well as to European companies, reflecting that in today's age, business has become borderless.

TRP Why is more regulation needed?

LT There have not been any major changes to data protection law since 1995. The world we live and work in has changed significantly since then and new regulation is needed to ensure that personal data is kept safe and treated consistently across all EU countries.

TRP How can GDPR help?

LT The development of public, private, government and hybrid cloud computing services has complicated data storage and processing over the last twenty years. The GDPR will help by clarifying the responsibilities of organisations relating to the data they handle and store, thus making it easier for both European and non-European companies to comply and avoid penalties.

TRP What impact will this have on organisations?

LT If the draft is implemented in its current form, organisations will need to consider if and how they change the way they collect, process and store data.

The Association for Information and Image Management (AIIM) lays out the changes that organisations will need to abide by in its report entitled Making sense of European Data Protection Regulations. There are eleven key areas outlined that range from gaining consent to collect data to fully documenting any breach.