EU directive around data privacy and protection: impact on your company and timing.
Why this article?
The new EU data privacy and data protection directive might still seem like a distant compliance topic for the vast majority of companies. In this set of blog posts though, we ask ourselves if the ~2,5 year timeframe (estimated due date: end 2016) is indeed a long time for implementing and complying with this directive or if we should be vigilant in our approach and start looking into this already now? A recent call with a Gartner resource confirmed our hunch that mature companies (in information management) are putting this new directive high on their agenda already now.
The directive concerns the processing, maintenance, storage, distribution and erasure of personal data by all enterprises that are involved with personal data of natural persons residing within the European Union. Personal data applies to any information relating to a data subject (natural person) both structured as well as unstructured data held in electronic & manual format. The directive also focusses on security and in particular on Personal data breaches. These Personal data breaches include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
The directive was already put up for vote at the EU parliament earlier this year and is expected to be signed by the member state ministers by the end of 2014 or beginning of 2015. Its one of the top tech priorities for the current Italian EU Presidency as well as for the new EU commission president Mr. JC Juncker. Upon final approval, we estimate a default 2 year period to allow for companies & governmental bodies to prepare & comply.
In this first article we will cover a high level overview the big impact areas (MDM, Integration, BI, Organization, Communication, ) . Each main impact area will be detailed afterwards in a set of dedicated articles. (We will not necessarily cover all impact areas, nor will we refrain from specific details in the directive. Furthermore we will not cover all potential exceptions as mentioned in the directive.) We will not necessarily cover all impact areas, nor will we refrain from specific details in the directive. Furthermore we will not cover all (potential) exceptions as mentioned in the directive. The goal is to provide a high level overview of the impact.
Besides the mandatory assignment of one or more Data Protection Officers, its clear that these people (in most cases) will not work alone. Coping with handling requests, internal audits, support in projects etc. will require a full team. The DPO and their staff will closely collaborate (from the start) with several other (Corporate) functions like: Legal office, Security office, Project office, (Enterprise and Solution architecture), Solution portfolio office, data governance & analytics organization and the BPM office & organization. Furthermore, in case of a data breach an on-call (and ready to act) support team must be able to respond to the authorities within 24 hrs. and to data subjects without delay. Standards, policies and procedures should be setup to accommodate for this.
Requesting data, updates & erasure:
A request process is to be put in place, with efficient request handling. Requests can be about the creation, update or deletion of personal data. Handling large volumes of data and large amounts of requests indicates the potential need of a data services approach (e.g. ESB enabled) and (potentially) a request reply mechanism, especially if we know that automatically processed data must be provided to the data subject in an electronic form, easily accessible & readable by the natural person. The use of data services (e.g. ESB enabled) can also be a good approach to keep track of sources & consumers of data. Tracking relevant integrations of personal data can facilitate the required proof with regards to the correct deletion & removal of data for both internally consumed data as well as data that was shared with 3th parties (right to erasure).
Data, documents and communications about natural persons data:
The master data and documents, related to natural persons privacy & protection (e.g. proof of consent, age, language, consumers of the personal data, data categories,..) will be extended which means that a wide variety of new attributes & documents must be stored in a master and an enterprise content management solution (ECM). Besides a set of extra attributes and documents, certain data like race, ethnics, health etc. can no longer be kept (besides some exceptions). When communicating about these documents, the directive distinguishes between children and adults – both in giving consent as well as in actual communication about personal data requests, updates or deletes. Furthermore, operational paper and electronic documents like contracts, invoices, sales orders, etc. containing personal data should also be traceable, which means that they have to be (scanned & ) moved into an ECM solution as well.
The better the data quality & accuracy, the fewer requests an organization will receive for rectification & completion of personal data records. High data quality & accuracy therefore directly lowers effort & costs. Furthermore, a data subject which is in doubt of the accuracy of his personal data can content the use of his personal data which directly impacts the ability to process the data. High data quality & accuracy therefore directly impacts the processing of personal data.
Not only can a natural person object against profiling activities with his/her personal data, the controller also has to keep logs about actual profiling & measurement activities. This affects not only the (relatively small) domain of profiling, but also the full scope of IM in the company. After all, MDM, BI & advanced analytics all depend on some sort of profiling or data mining from time to time.
The MDM solutions can and should play a key role in the implementation and maintenance of this directive. After all, data quality can be obtained at the source, and the better the accuracy is at the source (and their consumers) the higher the chance of being compliant. MDM, ECM & other source solutions will be considered (together with Integration) as the watch-towers of personal data, increasing the role and importance of these systems.
A company should be able to demonstrate the effectiveness of the operation of controls and governance, which encompasses e.g.: DQ metrics, measures of training and staff knowledge/awareness (part of DG), This means a set of controls must be setup & maintained & integrated with operational processes.
Exceptions will be handled as well, where we look into exceptions for health-care & patients health risks, as well as investigations and use of personal data for criminal investigations etc.
Data storage, architecture and design:
The minimal storage of personal data, combined with a predetermined architectural design, imposing minimal usage of personal data is not to be taken light. Especially for companies with existing reference architecture, some adaptations might be required. Architectural impacts should be considered not only during the next 2,5 years, but should already be imposed to any new service, project or architectural design. In a subsequent post we will include a high level roadmap, showing that (especially for mid-sized & large companies), the journey around this new directive has to start now (with Master Data Governance).
Zou het mogelijk zijn om mij de presentatie die U verleden jaar gegeven hebt i.v.m. de EU data protection reform te mailen ?
Ik ben projectleider van het zogenaamde Maritime Single Window die lidstaten tegen 1 juni 2015 moeten inrichten ten gevolge de zogenaamde Reporting Formalities Directive (RFD) (EU 2010/65). In Belgie is er voor gekozen de functionaliteiten te implementeren in bestaande systemen i.p.v. een compleet nieuw systeem te bouwen. De RFD vraag ook om persoonsgegevens te melden (bemanning, opvarenden, informatie over gezondheid, etc…) De situatie is complex er zijn meerdere systemen met elkaar verbonden over een middleware, sommige systemen behoren tot de overheid, sommige to prive instanties