EU Data Protection three years on: Playing catch up with a changing world

In January 2012, new EU rules designed to create a secure and unified landscape for the collection, use and retention of data were announced.

The changes in regulation were based in part on consumer research undertaken two years earlier and aimed to reflect growing concerns around online data privacy, the evolving digital landscape and globalisation.

The new rules would give individuals greater control over their personal data, make businesses more accountable for that data – with stricter requirements for protection and penalties around data breaches, for example – and commit EU member states to a set of consistent, legally-enforced regulations and rigid definitions. Companies outside the EU would have to abide by these rules.

But three years is a long time in the rapidly evolving digital universe, and it is likely to be another year before the proposals are finally agreed upon.

Consumer attitudes and behaviours have changed significantly since 2012, let alone 2010 when the research was undertaken. Moreover, new tools and technologies have transformed the way data can and is being used by business.

For example, over the last few years, new digital marketing tools have entered the market that can capture, track, profile, target and personalise individuals more effectively than ever before. They draw on the cloud of context, location, browsing and the behavioural data consumers now generate with every digital interaction.

In such a complex, data-rich landscape, it will be a tough ask for businesses to seek and obtain ‘explicit consent’ from each consumer as demanded by the proposals.

The rise of e-health applications, personal lifestyle monitoring, cloud computing (where personal data could be held anywhere in the world), and of course the internet-of-things, are further transforming what data can be collected and how it is used.

BMW recently reported that it is under growing pressure to release the data collected by its connected vehicles, including information on individual car performance, speed, navigationa nd even its current occupants.

With such technology-enabled, data-driven services entering everyday life, consumers are becoming more complacent about data use. Our own European research found that 88 per cent of consumers say they now deal with so many organisations, both online and offline, that they don’t know who holds what information about them.

Three quarters (72 per cent) are not convinced that the benefits of having their information deleted are worth the bother of getting it removed.

However, such tolerance is not universal. There are areas where data privacy concerns are rising sharply. The widely reported NSA investigations, growing cyber-threats and invasive marketing leave many consumers feeling vulnerable and angry about how their personal data is gathered and put at risk.

In short, connected consumers are setting their own standards for acceptable data privacy. Studies show people are prepared to reveal more information to the organisations they trust. Often these are the businesses that have effective data security and privacy standards in place. As industry analyst Forrester says: “in the battle to win, serve and retain customers, data security and privacy have become competitive differentiators.”

Companies may be better off responding to the evidence of such consumer behaviour than waiting for the legislation to be finalised before deciding how to prioritise and protect the use of personal data in their business.

This is even more important because, during the course of the last three years, a number of landmark events have meant that, in the absence of the new legislation, other entities have started to make important data protection decisions. These include the May 2014 judgement against Google on the ‘right to be forgotten’, a cornerstone of the proposed regulation.

There is a great deal that is valuable, and much needed, in the new proposals. They will ensure consistency across the 28 European member states and with organisations outside the EU that collect, store or process European data.

The rules seek to build a strong framework around the use of personal data in research, and need for ‘anonymising’ such data. Furthermore, they aim to ensure that definitions for things such as ‘data consent’, ‘data portability’, the ‘right to erasure’ and ‘data breach notification’ are universally agreed, understood and implemented.

Organisations need to prepare. Iron Mountain has published a business advisory paper to mark World Data Protection and Privacy Day that we hope will help organisations to grasp the full implications of the new regulation and understand why they matter.

Not just in 2016 when they are finally agreed upon and implemented; but right here, right now.

Sue Trombley is managing director in professional services at Iron Mountain.