Do you own or manage a business within the EU? Does your business reside outside of the EU, but house any personal or organizational data originating from within the EU? If either of these statements is true, you will want to read this blog.
According to Computer Weekly, “Data storage regulations in Europe are currently driven by provisions of the EU Data Protection Directive and their respective applications in member states… The current EU data protection regime requires organisations to take ‘appropriate security measures to protect personal data.’ It is based around eight principles driving the data protection regime that dictate how personal data must be acquired, maintained, updated, stored, protected and disposed of.”
The new laws are meant to streamline security practices by moving from disparate member-state regulations to a single regulation for the entire EU, and will affect both in-house and external cloud storage.
Among the reforms, the new law includes substantial changes in the area of personal data storage. With the ever expanding cloud-based sector, data security is increasingly being managed by a third party, rather than the business that initially acquired the information – otherwise known as the data controller. As such, the third party assumes the responsibilities of the data controller and is expected to protect all personal data.
The article explains, “The responsibilities of data controllers will also increase. They’ll have to put policies and procedures in place. Data controllers will have to demonstrate they have carried out staff training and checked that data processors are also ‘taking appropriate security measures’ to protect personal data pertaining to customers, employees and contractors.
From a cloud perspective, there will be a right to be forgotten and to data portability. This means that cloud providers will be required to delete information about a person or business if they request it to, and the person or business will be allowed to move data from one cloud provider to another.”
The regulations will not be limited to companies residing in the EU. Any data belonging to EU citizens or organizations that is managed by a third party outside of the EU must be secured and transferred with security protocols that are at least as stringent as those required in the EU. In other words, a cloud-based storage provider in the US would have to abide by these regulations when storing data originating in the EU.
The article cautions businesses that plan to use a public or hybrid cloud to carefully review the contract to verify that the security measures are in-line with EU standards. Some cloud-based storage providers may also try to include liability restrictions.
In addition to the data security measures, there are some additional updates regarding data retention and industry standards. For example, specific types of data must be kept for longer periods of time and some cardholder data is not allowed to be stored at all.
The article warns, “Consider the potential for e-discovery. You need to make sure you know what data you are actually storing, for whom and who’s doing that on your behalf if you use a third party.”
According to Cameron Coles, of Skyhigh, “Only 1 in 100 Cloud Providers Meet Proposed EU Data Protection Requirements.”
Now, more than ever, businesses must be proactive about their plans to handle data capture and storage compliance.
For more information on the new regulations, click here.
Sign up for our newsletters.