Following European Commission debates, the end of this year sees the publication of new legislation governing how personal data is to be stored and processed by EU member states. These proposals look to unify and streamline rules across the EU, whereas at present all 28 states have markedly different rules and interpretations for personal data protection. The new legislation will create an even rulebook for all of the EU, including penalties for violations and misconduct.
The new rules will have the most impact on cloud service providers. While currently across the member states, data protection responsibilities fall upon the business owners, following publication in 2016 Cloud Service Providers (CSPs) will have legal obligations to ensure that data stored and processed in their systems is adequately protected.
In practical terms, what this means for CSPs is a lot more work – establishing cloud servers will mean working with clients to establish exactly what kinds of data will be stored on the servers and finding the most appropriate protection and encryption procedures for these. In general, CSPs will be forced to offer a more bespoke service to clients large and small. Additionally, servers face legal obligations to notify clients and a Data Protection Authority of any security breaches within 72 hours. Businesses can expect to pay a good deal more for their cloud infrastructures because of these additional rules, or risk facing a fine of up to €100 million, write Computer Weekly.
The new rules set out will have a wider global impact than just the EU – cloud servers from the US and outside the EU will be affected if holding data of clients from within the EU, as it is the residents to whom the laws apply. The ‘right to be forgotten’ clauses are a large contesting point for this global impact, as it allows EU residents to demand their data be deleted once it is no longer needed.
What this means for EU residents is peace of mind, the right to be forgotten, as well as increased transparency between clients and data processors, with the knowledge of how personal data will be used. Companies are now being urged to upgrade their data protection in anticipation of the EU’s implementation of the laws in 2017. Landmark Technologies welcome the changes, stating that too many businesses are risking too much by utilising basic protection methods such as passwords. What most businesses need, they argue, is Multi Factor Authentication (MFA), which layers multiple methods of authentication together. This offers increased protection for businesses, as well as more freedom for workers to bring their own devices or work on a mobile scale. This meets the requirements as laid out by the European Commission, as authentication methods can be customised depending on the volume and types of data being used.