History will likely show that Europe’s new data protection regulation was a mistake. While the world is in the process of taking a giant step forward by marshaling the power of big data and the Internet of Things to grow the economy, improve governance, and solve pressing social problems, European policymakers have chosen to take two giant steps backward.
The new regulation’s intent may have been to give citizens control of their personal data, but its provisions will be onerous in practice—like trying to sail with an anchor overboard. Large, medium-sized, and small businesses, entrepreneurs, civil society groups, and government all will have an unduly hard time using data to start new ventures, expand well-established ones, or enrich European citizens’ lives by discovering solutions to challenges in health care, education, or the environment.
The new regulation should not be the last word on these issues. European policymakers have until 2018, when the law comes into force, to turn in a new direction. Now is the time to get started working on a new framework that is actually appropriate for a modern data economy.
In light of the news that after fouryears of discussions, new EU-wide privacy rules will come into force in 2018, Iain Chidgey, VP and General Manager, International at Delphix, comments:
"The EU General Data Protection Regulation (GDPR) is a call to arms for organisations.
"One of the EU's most heavily contested legislations, its controversial requirements threaten significant penalties for businesses worldwide that are non-compliant with data protection rules.
"However, it also offers hope by introducing a ‘carrot’ and ‘stick’ approach. A ‘carrot’ recommending ‘pseudonymisation’ to ensure personal information is no longer identifiable - reducing certain obligations on those who follow this approach. A ‘stick’ in the form of a threat surrounding the penalties for businesses that are non-compliant.
"For many enterprises, this will mean re-architecting operations to accommodate a data-first approach. The first step will be understanding where all the data sits. The second step will require technology that has the ability to scale and protect all data.
"For many, this will require an investment in new technologies like data masking, that can pseudonymise data once and ensure all subsequent copies have the same protective policies applied. Only by taking this course of action, can organisations future proof the business from costly data breaches and ensure compliance with all elements of new and impending regulation.”
Mark Thompson, privacy lead in KPMG’s cyber security practice, comments on the approval of the European Parliament‘s position of the General Data Protection Regulation (“GDPR”), thus completing its legislative process. He said:
“It has been a long time coming; with more suggested amendments than any other EU regulation, we are finally there. The EU has finally herded the cats up the hill which sends a firm message to businesses that privacy is at the forefront of the EU’s mind, and organisations need to take action to address their privacy risks.
“The approach of the GDPR provides a risk based application of a "one size fits all" set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate take action.
“For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain “global” services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market."
“It’s clear that by the time the regulation comes into play in 2018, for a number of organisations, there will be a lot of work to do.”
