For the tenth year running, 28 January marks an important cornerstone in Europe’s calendar, celebrating Data Protection Day or Data Privacy Day, as it is known elsewhere across the globe.
Today, like each year past, marks the anniversary of the opening for signature of the Council of Europe’s Convention number 108, which calls for “the Protection of Individuals with regard to Automatic Processing of Personal Data”.
This convention seeks to regulate the flow of personal data across borders and provides guarantees in relation to the collection and processing of “sensitive” personal data. The Convention also enshrines the individual's right to know where personal information is stored and, if needed, to have this corrected.
Today, Data Protection Day falls in the midst of much discussion and negotiation and may soon be superseded. In recent years, with the rise of Internet-based services, we’ve seen individuals’ personal data become increasingly accessible and difficult to remove. As a result, there is a general feeling that existing data protection regulations are ill-equipped to ethically process and safeguard our modern-day data footprint.
In line with these doubts, we saw the invalidation of the Safe Harbour agreement at the end of 2015, due to the fundamental philosophical difference between the EU's expectation of privacy and the US’ drive to grow our global marketplace and improve national security at the same time, despite the potential negative effect on the protection of individuals’ personal data. For years, Safe Harbour acted as the sole compliance mechanism for many US companies, and this has forced organisations globally to re-consider their approach to data handling.
Uncertainty still lingers as we await a possible Safe Harbour 2.0, as well as pending changes to EU regulations later this year. Although the finer details of the regulation are yet to be ratified, the mooted changes include the need for organisations to rigorously evaluate the risks of any data handling and guard against the accidental loss of data. It will only be possible for organisations to process data if the individual concerned consents, or if the processing is strictly necessary. If a company employs more than 250 people, it will also be obliged to appoint a data protection officer in-house to ensure the lawful handling of data. In addition, individuals can request their data to be deleted under the “Right to be Forgotten” clause.
Businesses worldwide have now woken up to this uncertainly around pending rulings, and are starting to grasp the possible impact and reach of this. As businesses await the final decision, they can be sure of one thing: in future, data privacy compliance will be about a lot more than just providing security. For those unprepared for legislative changes, there is a hefty fine of 5 per cent revenue to pay for non-compliance.
To remain compliant and avoid penalisation, enterprises must ensure that they have implemented an effective data management infrastructure. Whether data is stored on premise or with an external private or public cloud provider, organisations should assess and reassure both employees and customers that data is collected, processed, accessed, shared, stored, transferred and secured in accordance with all laws and regulations, and that data is only being used in pre-agreed, legitimate and lawful ways.
When businesses consider their future storage infrastructure and processes in place, they can assess whether there is the flexibility in place for data to be integrated, managed, replicated and moved across storage systems and cloud vendors. The benefit of this approach to data management is that service providers are able to pinpoint where any data is stored, move it easily, and also delete it if necessary. NetApp’s own clustered Data ONTAP storage operating environment is one such example, and can be used across cloud and on-premises infrastructure to create a Data Fabric that acts as a single system, meaning that data is more easily managed and controlled, thereby making compliance simpler for cloud providers and the companies deploying them.
There’s no doubt that this year’s Data Protection Day serves as a timely reminder for organisations about the importance of correctly handling and safeguarding individuals’ personal data. It also highlights the uncertainty around how these regulations may change and develop in the coming months, as decisions are reached to align future legislation with our modern data footprint.
Retaining full control over the data plus the flexibility to adapt to future developments in the law are critical for companies as they capitalise on the opportunities of modern IT.
Dierk Schindler, Head of EMEA Legal Field Services, NetApp
Image source: Shutterstock/Maksim Kabakou