Yet another ‘breakfast seminar’, subject the upcoming Data Protection Regulation (GDPR). You turn up between 8 and 8.30 for a sandwich and coffee, and the following hour is spent listening to experts speaking on a subject that is burning in the back of the heads of every CEO, CTO, CSO and CISO in EU member states.
Déjà vu – the message is the same again, received loud and clear: the Regulation is not complete, and in fact 30% is incomplete! Panic ensues as the CxOs absorb and comprehend. The news is not new, but it’s just that as each month encroaches, eating into the end of 2015, the CxOs are expecting something new!
Focus on what we know, there is so much to do without losing sleep over the unknowns!
I am disappointed again, and have to stop myself jumping up and stealing the stage. What I am missing is the message stating what is actually in place, what we know. The message the 30% is incomplete is not contextually correct. Sure member states cannot agree on specifics, e.g. should it be 2% or 5% imposed as fines on offenders not following the rules, how long should breach notification be from 24 to 72 hours? However what is decided on is the basic underlying principles that were defined in the EU Data Protection Directive of 1995. The Directive has 2 fundamental goals:
- To facilitate the flow of personal data across national boarders within the EU, and
- Protect the rights of EU data subjects.
All the legal text written within the Directive, and the upcoming Regulation is founded on these goals. The EU Data Protection (as is all privacy legislation worldwide) is based on 8 privacy principles (OECD Guidelines): Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability (embedded podcast gives an intense view of these). These principles have been further classified into 11 in an the ISO 29100 Privacy Framework standard, whereby Consent and Data Minimisation have be broken out and described further.
There is so much CxOs can do before the Regulation is finalized and implemented. Principally, one can establish the GAP between the local Data Protection Legislation and the Directive (1995). For example in Sweden this is significant. Personal data is public information due to a clash with Freedom of Press Act which makes the Swedish Data Protection Act somewhat impotent. Today 996 Swedish companies have something called an ‘utgivningsbevis’ which permits them to publish and make money from the personal data of Swedish citizens and residents. The data-subject in Sweden has no rights to have this data removed… believe me I’ve tried! This is incompatible with the Directive, and the upcoming Regulation. There is also some interesting deviations on how structured and unstructured personal data is treated, basically how the existing laws deals with unstructured personal data will not be compatible with the Regulation, just as it is incompatible with the Directive today. Both of these examples are in contradiction of some/all of the 8 privacy principles that the Directive, and the Regulation are grounded upon. There is so much work to do now……
So I’m going to help you to help yourself! You can get an intense exposure to the 8 privacy principles in the embedded podcast below, but it is pretty intense, and you need to stay focused for 12 minutes of listening to my voice… maybe not easy 😉
Alternatively if you want to fast-track yourself or some keen privacy enthusiasts in your company to be ready to run in 2016, I have just launched a 10-hour online course (Privacy & Data Protection – Introduction) that is kind on time and budget (€225). The Learner will earn a Privacy EAGLE badge that is compatible with Mozilla’s OpenBadge standard. Sitting behind the learning platform in addition to myself will be a young lady legal geek qualified in both English and Swedish IT and Data Protection Laws.