• Introduction 4
• Background 12
• A Quick Guide To The New Rules 15
• WantTo Know More? 17
• Red Tape Reductions! 19
• The 5 Key Points 20
• Case Study 1 22
• 8 ImportantThingsTo Remember 26
• Case Study 2 28
• Next Steps 31
• Compliance 32
• 9 ThingsYou Should Do Right Now! 33
• Conclusion 35
• Appendix 38
European Data Protection Legislation 3
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 3
We’ve all heard and read news reports about how criminal hackers are breaking
into firms such as TalkTalk and stealing thousands of names and bank details.
Or breaking in to Sony and reading all their emails.
Most people know that‘Phishing’ is the attempt to acquire sensitive information
such as usernames, passwords, and credit card details - and sometimes,
indirectly, money - for malicious reasons, by masquerading as a trustworthy
entity in an electronic communication.
And many people have also heard of ‘Ransomware’, a type of malware that
restricts access to the infected computer system in some way, and demands
that the user pay a ransom to the malware operators to remove the restriction.
4 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 4
How big is this problem?
It’s huge. And growing every day. Hackers have stolen information from millions
of us already. Major companies have failed to keep our private data safe.What’s
happening now is a big wake up call.
The BBC recently uncovered a new type of phishing email that includes the
recipient's home address and has been received by thousands of people.
Journalists at BBC radio were among those who received the scam emails,
claiming they owed hundreds of pounds to UK firms.
The firms involved have been inundated with phone calls from worried
members of the public.
One security expert warned clicking on the link would install malware.
BBC reporter Shari Vahl was one of the first on the team to receive an email.
"The email has good spelling and grammar and my exact home address... when
I say exact I mean, not the way my address is written by those autofill sections
on web pages, but the way I write my address.
European Data Protection Legislation 5
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 5
"My tummy did a bit of a somersault when I read that, because I wondered who
on earth I could owe £800 to and what was about to land on my doormat."
She quickly realised it was a scam and did not click on the link. Then, only a
couple of minutes later, another BBC journalist received one. And then another
colleague read a similar version - but sent to his home email address this time.
The BBC decided to contact the companies that were listed in the emails as
being owed money.
A spokesman for British Millerain Co Ltd, a waxed cotton fabric manufacturer,
told the programme that the firm "had more than 150 calls from people who
don't owe us money".
And a spokeswoman for Manchester shelving firm Greenoaks said: "My
colleague took a call from an elderly gentleman and he was very distressed
because his wife had had one of these emails."
Dr Steven Murdoch, principal research fellow at the department of computer
science at University College London, said: "Most likely it was a retailer or other
internet site that had been hacked into and the database stolen, it then could
have been sold or passed through several different people and then eventually it
got to the person who sent out these emails."
6 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 6
He added that the email bore the hallmark of previous phishing attempts from
gangs in Eastern Europe and Russia.
He said that clicking on the link would install malware such as Cryptolocker,
which is a form of ransomware that will encrypt files on Windows-based
computers and then demand a fee to unlock them.
So this affects us all, not just big corporations?
Although, of course, it’s the damaged big corporations that lose millions and
make the big headlines, private individuals are also losing thousands.
Most of us are now used to getting fake emails from hackers phishing for
information. There’s often an attachment that once you’ve clicked on it the
hacker has access to your laptop and every keystroke.
They’ve got your name, and they know where you live.They’ve got your bank
details. They’ve got YOU.
As soon as the cyber criminals are in, they’ve stolen your entire digital life.
But it’s not always a bad attachment that signals trouble. It’s amazing how
many people who are pretty careful about security in other areas don’t seem
worried about their email. It’s worth considering what a big part of your life is
revealed to someone reading your email…
European Data Protection Legislation 7
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 7
Just how easy is it to hack in to other computers?
Some teenagers can break into an international corporation in minutes. Think
of TalkTalk. The latest break in is the third time.
It’s not a bad idea to think of a hack as a break in. You wouldn’t leave your
doors unlocked so why leave your computer or your website open for people
to wander in and steal what they fancy?
After all, if you break into a bank it’s hard and dangerous and you’ll probably
get caught. But you can break into a network from your bedroom and the
chances of getting caught are pretty remote to be honest. You’re probably in
a different country for a start.
What can we do to protect ourselves?
For a start, be vigilant. Stolen identities are so readily available to criminals on
something we call the dark web that there are even ‘two for one offers’ and
‘money off all IDs sold until Friday’. It’s that competitive out there…
8 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 8
In your private life…
If you get a ‘phone call offering you a refund, be aware that someone may
have bought your name, number and address, and they’re now trying to get
your bank details too.
So be careful to whom you reveal personal information. It’s like giving a burglar
the keys to your home or business!
Don’t click on attachments without being absolutely certain who they’re from.
If in doubt give the person a call. It’s always better to be safe than sorry.
If you’re paying someone money, a criminal with access to your emails can so
easily jump in with an email, maybe pretending to be from your solicitor.
Because he or she has now access to your emails, the criminal’s fake email will
look just like the ones you’re used to getting from your real solicitor.
And if your lawyer signs off‘best wishes Tim’ then that’s exactly how the fake
email will be signed by the criminal.
This is how loads of people are duped daily into putting their life savings into
criminal’s bank accounts when they get an email from what looks like, say,
their bank, financial advisor or solicitor.
The email will look real because they’ll even know how much you are due to
pay. Of course they do – the criminal has just read the same email as you!
European Data Protection Legislation 9
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 9
If you have a business then…
Remember that any unprotected incautious employee can open up your
There have been stories of solicitors getting duped into sending house
completion monies to a bogus account and of clients who receive authentic
looking emails from a solicitor telling them that they need to pay money for a
house into a different account - too late they discover the email is a fake and
the account is that of a criminal.
Because of all this, Data Protection is hot news.
Something that was once regarded as a‘good thing to have’ ranking alongside
health and safety and risk assessments in the brains of board directors and as
a topic the public anecdotally understood to mean not selling on their email
address without permission, has now become a mainstream media topic.
Whereas once, journalists needed to research to discover names of companies
affected by data breaches in order to give their stories relevancy to a
mainstream readership, it’s now only too easy to come up with a list of global
businesses that are household names affected by data breach.
And in turn, the severity of those breaches has multiplied exponentially.What
was initially a minor inconvenience for the PR department to diffuse has now
become a national or even international scandal capable of bringing a giant
corporation to its knees.
10 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 10
And as we shall see, plans to make directors personally
accountable means that personal penalties are more than an
embarrassing interview or a tactical management reshuffle –
personal financial ruin is a very real prospect.
This is why the GDPR regulations around customer data provide an extra layer
of concern for organisations to pay big attention to!
The discussions between the European Commission, the European Parliament
and the Council (the so-called ‘trilogue’) EU Data Protection Reform papers,
the Data Protection Package, the Digital Single Market and the EU Agenda on
Security, together with the public consultations, cover many scores of
documents and hundreds of thousands of words.
In this book we shall guide you through the parts of the
legislation that you really need to know about.
And we shall flag up the key steps enterprises need to
implement in order to protect themselves and their
European Data Protection Legislation 11
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 11
Personal data is any information relating to an individual, whether it relates
to his or her private, professional or public life. It can be anything from a name,
a photo, an email address, bank details, posts on social networking websites,
medical information, or a computer's IP address.
The EU Charter of Fundamental Rights says that everyone has the right to
personal data protection in all aspects of life: at home, at work, whilst shopping,
when receiving medical treatment, at a police station or on the Internet.
17 years ago less than 1% of Europeans used the internet.
Today, vast amounts of personal data are transferred and
exchanged, across continents and around the globe in
fractions of secondsi
In the digital age, the collection and storage of personal information are
essential. Data is used by all businesses – from insurance firms and banks to
social media sites and search engines. In a globalised world, the transfer of
data between countries has become an important factor in daily life.There are
no borders online and cloud computing means data may be sent from Berlin
to be processed in Boston and stored in Bangalore.
Everyone has the right to the protection of personal data.
12 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 12
Every day within the EU, businesses, public authorities and individuals transfer
vast amounts of personal data across borders. Whenever you open a bank
account, join a social networking website or book a flight online, you hand
over vital personal information such as your name, address, and credit card
Peopleareworriedasneverbefore, asking‘what happens to this data?’‘Could
it fall into the wrong hands?’‘What rights do we have regarding our personal
It’s all very well for individual governments of member states to legislate
to protect their citizens, but conflicting data protection rules in different
countries would disrupt international exchanges.
Individuals may be unwilling to transferpersonaldata abroad
if they are uncertain of the level of protection in other
EU surveys reveal – somewhat predictably – that more than 90% of Europeans
want the same data protection rights across the EU – and regardless of where
their data is processed.
Two-thirds of Europeansii
(67%) are concerned about not
having complete control over the information they provide
European Data Protection Legislation 13
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 13
As a result of public concerns, in January 2012 the European Commission
proposed a comprehensive reform of data protection rules in the EU. The
objective was to give citizens back control over of their personal data, and to
simplify the regulatory environment for business.
Seven Europeans out of teniii
worry about the potential use
that companies may make of the information disclosed.
Under EU law, personal data can only be gathered legally under strict
conditions, for a legitimate purpose.
Furthermore, persons or organisations which collect and manage our personal
information must protect it from misuse and must respect certain rights of the
data owners which are guaranteed by EU law.
Therefore,common EU rules have been established to ensure that personal
data enjoys a high standard of protection everywhere in the EU. Citizens have
the right to complain and obtain redress if their data is misused anywhere
within the EU.
The EU's Data Protection Directive also foresees specific rules for the transfer
of personal data outside the EU to ensure the best possible protection of your
data when it is exported abroad.
On 15 December 2015, the three European institutions agreed an historic
reform of data protection rules, establishing a modern and harmonised data
protection framework across the EU.
14 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 14
A Quick Guide to the New Data Protection Rules
This clearly cannot be an exhaustive analysis, but essentially the Reform consists
of two instruments:
1. The General Data Protection Regulation – more rights for people to
better control their personal data. And modernised and unified rules
intended to allow businesses to make the most of the opportunities of
the Digital Single Market by cutting red tape and benefiting from
reinforced consumer trust.
Identity Methods also work closely to protect the police and
criminal justice sector, and if this is an area of special interest
to you then please contact us for more in depth assistance.
But put briefly for the rest of us, there’s a second instrument
to the reform…
European Data Protection Legislation 15
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 15
2. TheDataProtectionDirective – this is for the police and criminal justice
sector and is intended to ensure that the data of victims, witnesses, and
suspects of crimes, are duly protected in the context of a criminal
investigation or a law enforcement action. More harmonised laws are
also intended to facilitate cross-border co-operation of police or
prosecutors to combat crime and terrorism more effectively
Fall foul of the new rules and penalties can be €1 million or up to 2% of the global
annual turnover of a company.
And there are rumours that this could be dramatically increased in the future.
A figure of €100 million has been mentioned in some quarters!
16 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 16
Want to Know More about the
General Data Protection Regulation?
We’re glad you’re still with us and still interested! OK here goes…
The new rules address personal data concerns by strengthening people’s
existing rights and empowering individuals with more control over their
personal data. Most notably, these include:
1. Easier access to your own data: individuals will have more information
on how their data is processed and this information should be available
in a clear and understandable way.
2. A right to data portability: it will be easier to transfer your personal
data between service providers.
3. A clarified "rightto be forgotten": when you no longer want your data
to be processed, and provided that there are no legitimate grounds for
retaining it, the data will be deleted.
4. The right to know when your data has been hacked: For example,
companies and organisations must notify the national supervisory
authority of serious data breaches as soon as possible so that users can
take appropriate measures.
European Data Protection Legislation 17
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 17
1. One continent, one law: The regulation will establish one single set of
rules which will make it simpler and cheaper for companies to do
business in the EU.
2. One-stop-shop: businesses will only have to deal with one single
3. European rules on European soil: companies based outside of Europe
will have to apply the same rules when offering services in the EU.
So a data centre in, say, India, won’t be an excuse!
4. Risk-based approach: the rules will avoid a burdensome
one-size-fits-all obligation and tailor them to the respective risks.
5. Rules fit for innovation: the regulation will guarantee that data
protection safeguards are built into products and services from the
earliest stage of development (Data Protection by Design).
Privacy-friendly techniques such as pseudonomysation (replacing personally
identifiable material with artificial identifiers) will be encouraged, to reap the
benefits of big data innovation while protecting privacy.
18 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 18
Red Tape Reductions!
The lawmakers reckon that enterprises will benefit from four reductions in
1. No more notifications: Notifications to supervisory authorities are a
formality that represent a cost for business of €130 million every year.
The reform will scrap these entirely.
2. Every penny counts: Where requests to access data are manifestly
unfounded or excessive, enterprises will be able to charge a fee for
3. Data Protection Officers: enterprises are exempt from the obligation
to appoint a data protection officer insofar as data processing is not their
core business activity.
4. Impact Assessments: enterprises will have no obligation to carry out
an impact assessment unless there is a high risk.
European Data Protection Legislation 19
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 19
The 5 Key Points
1. A "right to be forgotten": When an individual no longer wants her/his
data to be processed, and provided that there are no legitimate grounds
for retaining it, the data will be deleted. This is about protecting the
privacy of individuals, not about erasing past events or restricting
freedom of the press.
2. Easier access to one's data: Individuals will have more information on
how their data is processed and this information should be available in
a clear and understandable way. A right to data portability will make it
easier for individuals to transmit personal data between service providers.
3. The right to know when one's data has been hacked: Companies and
organisations must notify the national supervisory authority of data
breaches which put individuals at risk and communicate to the data
subject all high risk breaches as soon as possible so that users can take
20 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 20
4. Data protection by design and by default:‘Data protection by design’
and‘Data protection by default’ are now essential elements in EU data
protection rules. Data protection safeguards will be built into products
and services from the earliest stage of development, and privacy-friendly
default settings will be the norm – for example on social networks or
5. Stronger enforcement of the rules: Data protection authorities will be
able to fine companies who do not comply with EU rules up to 4% of
their global annual turnover.
Won’t the New Rules Cost Businesses Lots of Cash?
Not necessarily. Properly planned, you could actually save money.
One planned advantage behind the single, pan-European law for data
protection is that companies will simply deal with one law, not the current 28.
The new rules have been estimated – by the EU, admittedly -
to bring benefits of €2.3 billion per year.
European Data Protection Legislation 21
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 21
Case Study 1:
A chain of shops has its head office in France and franchised
shops in many other EU countries. Each shop collects data
relating to clients and transfers it to the head office in France
for further processing.
French data protection laws would apply to the processing done by head office,
but individual shops would still have to report to their national data protection
authority, to confirm they were processing data in accordance with national laws
in the country where they were located.
This means the company’s head office would have to consult local lawyers for all
its branches to ensure compliance with the law.
The total costs arising from reporting requirements in all countries could easily
With the Data Protection Reform:
The data protection law across all EU countries will be the same – one European
Union – one law.
This will eliminate the need to consult with local lawyers to ensure local
compliance for the franchised shops.
The result is direct cost savings and legal certainty.
22 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 22
It’s been said that the Reform could actually encourage
innovation and the use of Big Data. How?
‘Dataprotectionbydesignandbydefault’will become an essential principle.
It will incentivise businesses to innovate and develop new ideas, methods, and
technologies for security and protection of personal data.
According to some estimates, the value of European citizens’ personal data
could grow to nearly €1 trillion annually by 2020.
Used in conjunction with data protection impact assessments,
The Regulation promotes techniques such as:
• Anonymisation - removing personally identifiable information where it
is not needed.
• Pseudonymisation - replacing personally identifiable material with
• Encryption - encoding messages so only those authorised can read it,
to protect personal data.
These techniques will encourage the use of "big data" analytics, which can
done using anonymised or pseudonymised data.
European Data Protection Legislation 23
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 23
While it’s a data protection principle that when personal data
is collected for one or more purposes it should not be further
processed in a way that is incompatible with the original
purposes, this does not prohibit processing for a different
purpose or restrict 'raw data' for use in analytics.
A key factor in deciding whether a new purpose is incompatible with the
original purpose is whether it is fair.
Fairnesswillconsiderfactors such as; the effects on the privacy of individuals
(e.g. specific and targeted decisions about identified persons) and whether an
individual has a reasonable expectation that their personal data will be used
in the new way.
So raw data from, say, driverless cars can still be used to analyse where the
most accidents take place and how future accidents could be avoided. It can
also be used to analyse traffic flows in order to reduce traffic jams.
24 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 24
Businesses need to think whether their data can be
anonymised for future processing, allowing raw data to be
Companies are free to base processing on a contract, on a law or on - in
the absence of other bases - on a "balancing of interests".
These 'formal requirements', such as consent, are set out in the rules to provide
the necessary control by individuals over their personal data and to provide
legal certainty for everyone.
The new EU rules will provide flexibility on how to meet those requirements.
European Data Protection Legislation 25
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 25
8 ImportantThingsTo Remember
1. Instead of the current obligation of all companies to notify all data
protection activities to data protection supervisors, the Regulation
provides for increased responsibility and accountability for those
processing personal data.
2. For example, companies and organisations must notify the national
supervisory authority of serious data breaches as soon as possible (if
feasible within 24 hours).
3. Wherever consent is required for data to be processed, it is clarified that
it has to be given explicitly, rather than assumed.
4. People can refer to the data protection authority in their country, even
when their data is processed by a company based outside the EU.
5. People will have easier access to their own data and be able to transfer
personal data from one service provider to another more easily (right to
data portability). This is likely to increase competition among services.
26 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 26
6. A‘right to be forgotten’ means people will be able to delete their data if
there are no legitimate grounds for retaining it.
7. EU rules must apply if personal data is handled abroad by companies
that are active in the EU market and offer their services to EU citizens.
8. A new Directive will apply general data protection principles and rules
for police and judicial co-operation in criminal matters.
The rules will apply to both domestic and cross-border transfers of data.
OK, I get it… But how will the new rules work in practice?
European Data Protection Legislation 27
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 27
Case Study 2:
A multinational company with several establishments in EU Member States
has an online navigation and mapping system across Europe. This system
The data protection safeguards upon data controllers vary substantially from one
Member State to another.
In one Member State, the deployment of this service led to a major public and
political outcry, and some aspects of it were considered to be unlawful.
The company then offered additional guarantees and safeguards to the individuals
residing in that Member State after negotiation with the competent DPA, however
the company refused to commit to offer the same additional guarantees to
individuals in other Member States.
Data controllers operating across borders need to spend time and money (for
legal advice, and to prepare the required forms or documents) to comply with
different, and sometimes contradictory, obligations.
28 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 28
With the new rules:
The new rules will establish a single, pan-European law for data protection,
replacing the current inconsistent patchwork of national laws.
Any company - regardless of whether it is established in the EU or not - will have
to apply EU data protection law should they wish to offer their services in the EU.
When will the new laws apply?
Following political agreement reached in trilogue, the final texts will be formally
adopted by the European Parliament and Council at the beginning 2016. The
new rules will become applicable two years thereafter.
So that means early 2018.
The Commission will work together with the Member States and the Data
protection authorities – the future European Data Protection Board - to ensure
a uniform application of the new rules.
European Data Protection Legislation 29
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 29
Case Study: a UK company wants to expand its activities
With the current rules:
Its data processing activities will be subject to a separate set of rules in Germany
and the company will have to deal with a new regulator.
The costs of obtaining legal advice and adjusting business models in order to
enter this new market may be prohibitive.
For example, some Member States charge notification fees for processing data.
With the new rules:
The new data protection rules will scrap all notification obligations and the
costs associated with these.
The aim of the data protection regulation is to remove obstacles to cross-
30 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 30
The Commission will work closely with Member State Data protection
authorities to ensure a uniform application of the new rules.
During the two-year transition phase, the Commission will inform citizens about
their rights and companies about their obligations.
Data Protection Authorities will work more closely together in the future,
especially through the one-stop shop mechanism to solve cross-border data
European Data Protection Legislation 31
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 31
No EU business can ignore this. We’ve been given two years
to get ready, starting in January 2016. The clock is ticking.
It’s not going away and‘compliance with UK legislation’ will not be a defence.
Independent national data protection authorities will be strengthened so they
can better enforce the EU rules and they will be empowered to fine companies
that violate EU data protection rules.
Penalties for non-compliance
Don’t forget that penalties can be €1 million or up to 2% of the global annual
turnover of a company.
There are rumours that this could be soon dramatically increased.
A figure of €100 million has been mentioned in some quarters.
And one source close to the legislature has already mentioned
plans to make the fine at least 4% and €20m, rising to for the
big offenders to an eye-watering €30m and 5% of turnover!
32 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 32
9 ThingsYou Should Do Right Now!
1. Culture… does your accountability policy meet the new standards?
2. Establish… a culture of monitoring, reviewing and assessing your data
processing procedures, aiming to minimise data processing and retention
of data, and building in safeguards.
3. Check… are your staff trained to understand their new obligations?
Conduct auditable privacy impact assessments review any risky
processing activities and steps taken to address specific concerns.
4. Prepare& practise… for data security breaches by putting clear policies
and procedures in place so you can react quickly.
5. Embed… privacy into any new processing or product at the design
stage.This is also likely to demonstrate your compliance as well as giving
you competitive advantage.
6. Analyse… the type of data processing you do. Are your interests not
over-ridden by the data subject? Can you prove consent?
European Data Protection Legislation 33
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 33
7. Check… is your information such as privacy notices in clear and plain
language, transparent and easily accessible as will be required by law?
8. Consider… if you are a supplier whether your new obligations are built
into your policies, procedures and agreements.
9. Understand… the rights of data subjects, because it will be for you to
prove by demonstration if you claim grounds to over-ride their interests.
Plus you will be prepared to challenge individuals who may have
34 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 34
If you’re unsure – and who isn’t? – then get help as soon as possible.
Then make a plan…
President Abraham Lincoln explained the value of planning
when he said: “Give me six hours to chop down a tree, and
I’ll spend the first four hours sharpening my axe.”
Things to Remember…
• The requirement for companies and organisations to notify the
national supervisory authority of serious data breaches within 24 hours
will likely spur companies to hasten their security auditing processes and
force them to deploy new risk analysis and management tools.
protection, so under the new regulation any company or individual that
processes data - including third parties such as cloud providers - will also
be held responsible for its protection.
• Some cloud service providers, especially those based outside the EU,
may not believe that the regulation applies to them. It does.
European Data Protection Legislation 35
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 35
• So ifyou or anyone else touches or has access to your data, wherever
they are based, you are all responsible in the case of a data breach!
• You will need to be extra vigilant when it comes to securing the data
of others, and if you’re a data owner you must thoroughly vet your
• If you fail… get ready for US-style class-action compensation claims
• Which household name will be the first to suffer catastrophic financial
and reputational damage?
• Don’t wait for users to contact you – it’s now going to be your
responsibility to inform users of their rights. In addition, users should
not have to opt-out of their data being used, they must opt-in to your
This is more stringent than the current directive and
companies that fall foul of these measures will face larger
36 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 36
It’s not all bad news…
Remember that you will only be required to meet individuals’ ”reasonable
expectations” of data privacy.
And elsewhere, the regulations stipulate that tokenised, encrypted or
pseudonomysed data does meet these expectations.
So an organisation that encrypts or tokenises data before uploading to the
cloud meets the new standard.
If you keep your own encryption keys, any data loss is much less likely and, if
it does happen, you can show the regulators that you took steps to “meet
individuals’ reasonable expectations of data privacy”.
European Data Protection Legislation 37
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 37
When an aeroplane comes in to land, the co-pilot counts down the approach.
8 miles, 10,000 feet.
6 miles, 6,000 feet
4 miles, 2,000 feet
Finally, the co-pilot says ‘2 miles to run. 1,000 feet. DECIDE.’
And at this point the pilot must respond‘LAND’ or‘GO AROUND’.
The pilot can’t say ‘Err, bear with me, let me think about it and I’ll try to get back
Preparing for the new data protection legislation is like that
It’s coming in to land and the time has come to decide.
Make a start …or ‘go around’.
You’re in charge. It’s your call.
EU Justice Commissioner Viviane Reding
Eurobarometer survey 2015
Eurobarometer survey 2015
38 European Data Protection Legislation
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 38
Richard McCann MBA PhD
Richard is a writer, journalist, lecturer and broadcaster.
Ian Collard Managing Director Identity Methods Ltd
Ian is a well-known government, banking and police digital
security consultant and IdAM (Identity & Access
Management) professional, Ian’s broad knowledge extends
through enterprise, cloud , industrial control and other CNI
(Critical National Infrastructure) cyber-security areas.
Formerly security practice leader at Siemens, Ian has led successful consultancy,
sales and implementations within various government departments and
leading financial services companies, his cross-vertical knowledge is
European Data Protection Legislation 39
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 39
Identity Methods Limited
44 North Road
+44 (0)1273 448080
IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 40