Today in London, England, we gathered professionals with an interest in privacy, operational security, site quality, and accessibility compliance for a breakfast meeting designed to discuss in greater detail the new developments approved by the European Union (EU) Parliament regarding approaches to privacy law and personal information across the European Economic Area. The event provided a unique opportunity for attendees to exchange ideas, questions, and best practices with local compliance professionals and consultants in an intimate and interactive setting.
In light of the event, we spoke with two compliance experts involved with the event about the legislation and major challenges organisations are facing around data privacy today:
· Hazel Grant, Partner Specialist in Compliance at Bristows LLP
· Ralph O’Brien, Compliance Solutions Specialist at AvePoint
How do you feel that privacy legislation (such as European Commission Data Privacy Directive) is perceived by organisations?
Hazel Grant: I think many organisations see privacy legislation as a real burden, and often that is caused by the language of the legislation and the different perspectives of the organisations. So, for example, a US organisation might read the privacy legislation literally and feel that it is impossible to comply fully, which is probably true. An EU organisation might read the legislation knowing how it might be enforced by regulators and/or individuals and therefore feel that the burden is not so great. One interesting development, though, is that some companies are highlighting privacy compliance as a differentiator in selling their products and/or services.
Ralph O’Brien: The EU Data Protection Regulation can be viewed both negatively and positively. Most of the perception out there is that there is a new regulation, and that if organisations fall foul of this, they will be penalised. That’s not exactly positive, and most are failing to spot the positive intention and competitive advantage that can be gained from leveraging privacy compliance as a differentiator. Good information management can be utilised for economies and efficiencies internally, but also reducing data management costs – something that is often overlooked by organisations that simply try and “tick the box” with compliance initiatives.
What do you see as the most positive trends in the realm of privacy today?
HG: The increasing awareness of privacy requirements, so employees and managers in organisations have a heightened awareness of their personal rights. This makes it more likely that they will emphasize privacy compliance when at work. Additionally the whole “privacy by design” movement is a good development.
RO: The fact that recent marketing messages from organisations such as Microsoft that are using slogans like “Privacy is our Priority” to differentiate themselves from competitors is a real break and taps into a growing public consciousness surrounding their privacy rights. Global events, privacy breaches, and news articles such as the PRISM/Edward Snowdon and WikiLeaks/Julian Assanage as well as concerns around social media and search engine providers’ usage of data have all contributed to the groundswell of public awareness, where individuals want to hold organisations accountable for poor management of personal data.
What do you see as the most negative trends in the realm of privacy today?
HG: The debate in the EU over the future of privacy laws is worrying – mainly because there is a risk that we will have new laws that have been pushed through too quickly or agreed as part of a political deal. We have seen before (in the EU cookie law) how rushed or compromise laws can be very difficult and confusing for businesses to implement.
RO: Some of our greatest strengths are also some of our greatest weaknesses. Emerging technology will always innovate first and comply later – current examples include wearable technology and a trend towards connecting sensors in the “internet of things” combined with several large providers having much more data and insight into our lives that before. When one provider has your location-based data, emails, search results, document storage, and more, the potential for harm is just that much greater.
What are the areas of data privacy that organisations most concerned about?
HG: There is still a lot of work being done by many businesses on general compliance – employee notices, dealing with international transfers, and reviewing service provider contracts. Additionally, data losses will always occur, and when they do, organisations often aren’t prepared on how to respond to the loss and/or report to the regulator. However, the main areas being talked about are the use of cloud computing and the challenges of big data and data protection compliance.
RO: New technologies around growing trends such as cloud computing, social networking, and Bring Your Own Device (BYOD) are key concerns. All of these services decentralise control, passing it further away from central administration and toward the users and third-party providers. This distance and decreased central control empowers users to collaborate as well as generate content and work remotely in ways never possible before, but also increases the challenge and opportunity for non-compliant practices to emerge and go unnoticed amongst the user base. Using automated solutions to enable adoption and user education is a necessity in these environments to ensure effective control and an approach that mitigates risk.
How do you think the new EU regulations will impact organisations?
HG: I think there are two parts to this: For organisations with a highly developed privacy compliance programme, there is likely to be an incremental change due to the proposed EU laws. However, for organisations that haven’t yet “grasped the nettle” that is data privacy, there will be a real change required, with detailed internal policies and procedures, better notices, appointment of a data protection officer, policies to deal with data breach notification in possibly 24 hours, and the risk of two percent global turnover fines. So there will be a lot at risk and a lot of change required in two years.
RO: It will depend on how proactive the organisation wishes to be. There is a timeline for this to be introduced, but the best way to comply tomorrow, is to comply today. In some ways, the founding principles of the privacy legislation remain the same: fairness, retention, purpose limitation, appropriate security, etc. However, I believe the main impact will be on how organisations proactively monitor and demonstrate compliance as well as ensure they have the ability to respond to new requests from data subjects and notify regulators when breaches occur. Achieving this will involve organisations having to invest in new processes and solutions. In my opinion, organisations face a risk-based choice: To bury their heads in the sand and believe the regulations to be a burden, or to embrace them as part of an enabling and positive programme to gain the benefits of good information governance. Again, the best way to be compliant tomorrow is to invest in getting the benefits of good information governance today.
Interested to learn how AvePoint’s solutions can help you solve your organisation’s data privacy challenges? Visit our website today.
