With a recent, but less publicised executive order from President Trump, things are happening on both sides of the Atlantic with regard to personal data, and it looks like the US and the EU have very different ideas about the direction to take.
We all leave a digital trail these days, just going about our daily business. Much of it we don't think about, and we often consciously choose to trade this personal data ourselves, in exchange for free services. Think about it, your internet searches, social media, the websites you visit and your location while you're doing it, even exercise activity and your home heating usage via a smart thermostat, all have data harvested and monetised by big business.
Much of this you might not care about, but personal medical records, mental health, legal records, finance etc. or other areas probably cross the line for you, it's personal after all. The trouble is, the lines between what's shared and what’s kept truly private are blurring.
Some camps think that the pendulum has swung too far in favor of business, and that there should be a rebalancing with more power handed back to the individual. While this view can be found in the US as well, it's the EU that has chosen to legislate to protect its citizens. This comes in the form of the General Data Protection Regulation (GDPR) coming into force in May 2018.
GDPR is a big deal. It has been described as the “biggest overhaul of data protection regulation ever undertaken”, and despite being a European Union initiative, it has profound implications for any businesses operating in the EU or with European customers.
It is a new set of regulations that is being rolled out across the European Union in just 12 months time, and according to the law-makers, “aims to protect all EU citizens from privacy and data breaches in an increasingly data driven world.” Organisations trading with EU nations will need to comply and failure to do so will see them face fines of up to 4% of annual global turnover or €20 million.
While there’s certainly growing awareness of the arrival of, and the importance of GDPR, many are concerned that the regulators are running well ahead of the business community, who are not as prepared as they should be. GDPR is far reaching, and for many will require investment in time and technology to ensure their businesses cross the start line in May 2018 in good shape. It’s a certainty that the first significant data breach to hit the headlines after the regulations come into force will receive extra levels of scrutiny and publicity. Organisations will not want to see their names in the firing line for something they can work to prevent now.
There has been understandable attention around GDPR, but it’s not the only new set of privacy regulation in town. The EU is also working to update its ePrivacy Directive, intended to protect personal data in electronic communications. Historically, the directive has focused on how companies collect data about individuals online – particularly via website cookies. In the future, individuals will be given more control over their privacy settings and what data cookies can collect about them.
It's this piece of proposed legislation that is at odds with the executive order from the US president, which scraps new protections due to be implemented by the end of the year that were made law during the Obama presidency. Protections would have forced ISPs to get clear permission from users to share personal data such as "precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications”. Furthermore, ISPs would have been ordered to allow their customers the ability to opt out of the sharing of less sensitive information, like an email address.
It's not just this executive order that may cause US-EU clashes over data privacy though. Another order, somewhat buried by the recent immigration led stories, cast doubt over the future of Privacy Shield, the replacement for the Safe Harbor agreement. Indeed, a single court case 'cast doubt' over Safe Harbor, and this eventually killed it. Without Privacy Shield, it is considered that GDPR would make it illegal for EU businesses to use US based companies to process data, which would have a big impact on cloud based services. In fact, Privacy Shield was created with GDPR in mind. For those in the UK, this is complicated somewhat further, because GDPR will become law next year, but when the UK exits the European Union in 2019, it will also exit Privacy Shield at the same time.
Technology is going to play a pivotal role in the ability of organisations to meet these requirements. Being able to easily encrypt and move data and workloads between cloud vendors, for example, provides a contingency for the current level of uncertainty for EU and US businesses. In addition, Microsoft, Amazon and others are tripping over each other to build more capacity in Europe, so there will at least be somewhere for EU businesses to relocate to if things remain unclear, or worse.
In the case of GDPR, the ability to index data across a company’s whole estate, including public cloud, can really help to get a handle on where PII (Personally Identifiable Information) is stored, and even set policies to manage that information by its content.
Businesses making choices about the technology they will use to adhere to GDPR will also need to consider the various nuances of specific articles and principles in GDPR, such as the right to be forgotten, data minimisation, breaches (in the datacenter and on endpoints), protection by design and default, data transfers and more.
Personal information is an intrinsic part of modern business that cannot be ignored. With GDPR setting a new benchmark for its protection, the tug-of-war between those that want to exploit it, and those that want to protect it, is set to continue for the foreseeable future.
Nigel Tozer, solutions marketing director EMEA, Commvault
Image Credit: Maksim Kabakou / Shutterstock