1995 and the Data Protection Directive (DPD), the EU adopted an ambitious set of data security and privacy rules. Within the Directive were requirements to obtain consumer opt-in, limit the amount of data that was collected, allow correction and erasure of personal data on request, and force organisations to erase data that was no longer relevant.

The EU was one of the first to take many privacy principles — more familiar to us today as Privacy by Design (PbD) — and turn them into real-world data security laws and policies. The EU’s DPD had an advanced definition of personally identifiable information, referred to as personal data, the data that is ultimately protected by the law. In the DPD, personal data could cover both standard identifiers (name, address, phone number) as well as Internet-era handles.

As the years, have passed, with further interpretations by the regulators and court rulings from the EU Court of Justice (ECJ), the original DPD was extended to cover cloud providers, erasure of data on the Internet, and at least for the US, an additional framework — the EU-US Safe Harbour — to cover the exporting of data outside the Eurozone. However, the DPD soon began to creak. Partly for this was that the Directive gave EU countries the power to create their own laws based on the DPD and then to interpret them, so differences began to emerge. While the DPD provided a solid foundation, it was not equipped to handle the explosion in data collection and storage, and it did not specifically address the world of cloud processing, which fell into a regulatory grey area.

The new General Data Protection Regulation (GDPR), which will replace the DPD, was approved in April 2016. It will provide a uniform law across the EU and address many of the shortcomings in the DPD. Companies have up to two years to become compliant: the GDPR will go into effect in May 2018. This interim period is for companies to prepare for its arrival.

The GDPR will add requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying consumer and authorities when there is a breach, as well as strengthening rules for data reduction. For companies that only collect data of EU citizens over the Internet without having a formal presence in a country, the GDPR’s concept of “extra-territoriality” will mean the GDPR will apply to them as well.
Finally, the GDPR will contain a significant financial sting for noncompliance: maximum fine €20,000,000.00 although some fines will be tiered with some violations set at 2% and more serious lapses at 4% of a company’s global revenue.
Ultimately, the message for companies that fall under the GDPR is that awareness of your data — where is sensitive data stored, who is accessing it, and who should be accessing it — will now become even more critical.