Data and how it is stored, managed and protected has never been so topical an issue. A number of high profile security breaches over the past 18 months, allied with general concerns about how consumer information is used by major enterprises, have meant data is at the top of the agenda for many organisations.
This has been exacerbated further by new European General Data Protection Regulations (GDPR) that will change both how consumer data is stored and how organisations must respond if a data breach occurs. There are fines of up to €100 million (£79 million) if they fail to comply. The GDPR is hugely significant legislation and will change the way many organisations access and store data, and also provides a major opportunity for cloud providers.
Data security to this point
Data Protection laws and regulations across the EU govern the storage and processing of data that would allow an individual to be recognised. They are intended to address the risks around privacy and data loss, and to provide a framework for good information governance.
In 1980, the Organisation for Economic Cooperation and Development (OECD) published "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data." The objective was to create a comprehensive system for the protection of personal data throughout OECD countries, principally Europe and the US.
A year later the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was negotiated within the Council of Europe, obliging the signatories to enact legislation concerning the automatic processing of personal data.
This included seven key principles:
• Notice – data subjects should be given notice when their data is being collected
• Purpose – data should only be used for the purpose stated and not for any other purposes
• Consent – data should not be disclosed without the data subject's consent
• Security – collected data should be kept secure from any potential abuses
• Disclosure – data subjects should be informed as to who is collecting their data
• Access – data subjects should be allowed to access their data and make corrections to any inaccurate data
• Accountability – data subjects should have a method available to them to hold data collectors accountable for following the above principles
This resulted in the first EU Data Protection Directive implemented between 1984 and 1986 in the then EU states. The Directive was revised in 1995 and covers the protection and processing of personal data regarding individuals, and the free movement of such data across the EU.
The Directive is a component of EU privacy and human rights law. Directives are not legally binding for EU countries in principle, so whilst it has been incorporated into respective state laws across the 28 countries, it has been implemented in different ways.
This lack of consistency has led to confusion for those wishing to store and process data, something at odds with the EU ideal of a single open market across all states. The situation has been further complicated by the development of public, private, government and hybrid cloud computing services. This has created a challenge to on-premise data storage and processing, and thus uncertainty regarding responsibilities of the respective organisations regarding data protection and data privacy.
General Data Protection Regulation
So the European Union is soon to implement the General Data Protection Regulation (GDPR), which will bring all 28 countries under a single regime of rules, and penalties for breach. This is perhaps the greatest opportunity that cloud providers will have seen – a chance to deliver EU-wide services under one single operations model.
The purpose of the GDPR is to provide a single law for data protection to cover the whole of the EU. As a Regulation, rather than a Directive, there will be one single set of rules regarding data protection and individual countries will not have the freedom to make choices. As soon as the regulation is passed, each of its provisions will become part of the national legal system of each EU Member State, "as is".