Data Privacy Day Is a Good Time to Think about ECM and the Cloud

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on January 28.

One aspect of the complicated set of Data Privacy issues facing companies and individuals that AIIM has focused on has been the implication of pending European Data Protection Regulations as they relate to the storage and management of content in the Cloud. The AIIM publication is the most comprehensive view I know of European laws and regulations related to the Cloud.

The purpose of the pending European General Data Privacy Regulation (GDPR) is to provide a single law for data protection to cover the whole of the EU rather than the present Directive, which has been implemented differently in each member state.

As a Regulation, rather than a Directive, there will be one single set of rules regarding data protection, individual countries will not have the freedom to make choices. As soon as the regulation is passed, each of its provisions will become part of the national legal system of each EEA Member State, “as is.”

The GDPR will thus make it easier for both European and non-European companies to comply with data protection requirements. In addition to giving a common approach to privacy, unlike the existing Directive, it covers both cloud computing and social media and provides common levels of fines for breaches. The GDPR will establish a European Data Protection Board (EDPB) to oversee the administration of the Regulation across the EU.

The final details of the GDPR are still under discussion. Per the Association of Corporate Counsel, “Jean-Claude Juncker, the incoming President of the European Commission, has said that the Regulation should be finalized in the first quarter of 2015. Whilst this is a positive emphasis on finalizing the data protection reforms, given the lengthy European Parliamentary process and the matters which remain outstanding, it seems more likely that the Regulation will be finalized at some point in late 2015 or in 2016. The Regulation will be effective two years after it has been finalized and adopted by the European Parliament.”

What Does the New GDRR Directive Mean for Organizations?

As proposed, organizations will have to:

1. Collect explicit consent to collect data from data subjects (the data subjects must ‘opt-in’) and facilitate the subject’s wish to withdraw that consent.
2. Be able to delete all customer data at the request of the data subject, a provision known as “Right to Erasure,” unless there is a legitimate reason for its retention.
3. Provide data subjects with a clear privacy policy.
4. On request, provide data subjects with a copy of their personal data in a format that can be transmitted electronically to another system.
5. Undertake an annual risk management/analysis, detailing both the risks identified for data breach/loss and steps taken to alleviate those risks.
6. Establish which is to be the Single Data Protection Authority (DPA) for the organization. This may be in any member state. (It is expected that the UK and Ireland will be most popular because of the use of English language).
7. Appoint a lead authority Data Controller to be responsible for all processing operations across Europe.
8. For public bodies and organizations processing more than 5,000 data subjects, appoint a Data Protection Officer within 12 months of the Regulation being adopted.
9. Document fully any breach, and notify the appropriate authority ‘without undue delay.’ It is expected that the authority will decide whether the organization should notify data subjects if any ‘adverse impact’ has been determined.
10. It is also proposed that the data controller and data processor (the cloud provider) have joint liability for any breach.

AIIM Cloud Data Privacy Recommendations for Data Controllers and Processors

Until the implementation of the Regulation, data controllers and their organizations using, or intending to use cloud services need to:

1. Be aware of the respective countries within the EU that the personal data of data subjects originate from.
2. Follow the current legislation, in particular with specific regard to the transfer of such personal data across borders.
3. Establish whether any existing processing falls foul of current legislation and work with the respective Data Protection Authorities to resolve the problems.
4. Review contracts with existing data processors to ensure that they are compliant with current legislation.
5. Set a compliant strategy in each geography to reflect the requirements of the new GDPR Regulation before the end of the transition period (currently 2017).
6. Establish procedures and start the process of gaining explicit consent for the collection and processing of personal data in preparation for the implementation of the Regulation.

Data processors providing cloud services need to:

1. Review the physical locations of their data centers and ensure that they are not currently processing personal data outside the boundaries set by individual country legislation.
2. Decide whether to establish data centers within the EU/EEA or other areas with adequate levels of protection in preparation for the Regulation.
3. Set a compliant strategy for the company, and in each geography, in preparation for the requirements of the Regulation.
4. Educate sales and technical staff on the implications of the Regulations, and amend contracts and provisioning appropriately.

Data Privacy Day is a good time to start thinking strategically about these issues. The AIIM white paper, Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud, is free. Download a copy today and get started.