The protection of personal data within the EU will be unified by The European Commission with a single set of rules, the General Data Protection Regulation (GDPR). This Regulation will replace the current EU Data Protection Directive 95/46/EC. The EU plans to implement the new EU Data Protection regulation in 2017. Note that there is an essential difference here between ‘Directive’ and ‘Regulation’. Where the current directive typically was translated in different national laws with differences per country, the new regulation will automatically become law in all member states. For every company doing business in the EU the rules will be the same, the rules will be clear and ….the rules will be very demanding.
What does the new EU Data Protection Regulation mean for you? I would like to highlight some topics in this blog. And, since RSconnect is developing products which help you to secure your VoIP Enterprise telecommunication and unified communication networks, I will also briefly touch the impact of the Data Protection regulation on your VoIP and UC security requirements.
The EU Data Protection rules apply whenever data can be used, directly or indirectly, to identify a person. Personal data can be anything from names, photos and addresses to medical information or social network posts. In the new regulation there will be one set of rules for the protection of such personal data for all organizations throughout the EU. The rules apply for the company that is the data owner, but also for any other company that processes the personal data like cloud service providers.
And, although this is an EU regulation, the impact is not limited to EU countries. Every company involved in the processing of personal data of EU citizens has to take care of an adequate level of privacy protection. So, it is not the location of the company that matters, but the origin of the data.
Users will have a much stronger position once the new regulation is implemented. This starts with the actual use of his or her data. The so-called data subject has to give his or her explicit consent for the data being collected and the purposes for which the data are used. This cannot be done by approval of generic terms and conditions, an explicit affirmative action like ticking a consent box is required. And, the user can also withdraw this consent at any time. In the new regulation the time-frame in which a data controller should provide information to a user on his or her request about the data collected, is harmonized over all countries and will probably be much shorter than today.
Also, if a user no longer wants data to be processed and there is no legitimate ground to keep them, they can request the data controller to erase the data. For organizations this demands well-defined procedures to trace any location where the data are stored. Not just the well-controlled master databases, but also the local copies and even spreadsheets. The regulation also enforces an easy transfer of personal data to someone’s new service provider.
The new EU Regulation demands changes in your organization. First, public organizations and larger organizations processing more than 5000 data subjects within 12 months are required to appoint a Data Protection Officer (DPO). This role is to ensure compliance to the Regulation within the organization. Another task is to liaise with and facilitate inspection by the DPA, the Data Protection Authority of the country where the organization is active. Specifically when an organization is involved in high risk operations, risk assessment and mitigation is required. In case of international operations, one lead authority will take responsibility for the supervisor role, typically the DPA of the country where an organization has its main establishment. Data Protection Authorities are national authorities responsible for the protection of data and privacy in countries of the European Union.
For example, in the UK the Information Commissioner’s Office is the DPA, while in France the Commission nationale de l’informatique et des libertés takes these responsibilities. Beside a formal DPO appointment, it is also important that every organization takes all necessary measures at a technical and organizational level. Important here are the ‘Privacy by Design and by Default’ concepts. This means that data protection safeguards should be part of products and services from their very early stage of development, while all privacy-settings will be set at a high-level by default. The benefit of all these regulations is that if companies really have documented and can prove that they took relevant steps to meet reasonable expectations of data privacy, the impact of any data loss or other problems will normally be less severe. So, there will be strict rules to follow but, if you do follow them, the Regulation protects not only the data privacy, but also your company if it is a victim of hackers and other cybercriminals.
Important in the new set of rules will be the impact in case of data loss. Currently, each country has different rules for this, but in the new regulated situation the authorities must be informed at short notice, 72 hours at most. Also, the penalties in case organizations do not follow the regulations and data are stolen, are very serious. Where penalties are currently limited, for example in the UK to £500,000.- the European Parliament proposed fines up to €10,000,000.- or 5% of a company’s yearly turnover. In addition, also the users themselves will see more legal possibilities to claim damages in case of data loss. It is very likely that in future groups of users will start procedures comparable to class action lawsuits in the US. The financial impact of these procedures can also be immense, as can be the reputation damage.
Voice communications and enterprise telephony are normally not the key focus when the EU Data Protection impact is discussed. The debate is often about typical data security questions like how a database with sensitive personal data is protected from unauthorized access and data theft. This only illustrates how easy it is to forget that modern telephony solutions are in no way comparable to the Plain Old Telephony Service that used to be common in all corporate organizations. Current Enterprise telecommunication solutions are state-of-the-art IT infrastructures with critical – but often forgotten – access to your company’s personal data.
Let’s take a very simple example: senior medical staff of a medical institute treat people with medical or psychological problems and these patients definitely don’t want to share their personal data with the outside world. Does anyone of these staff members realize that their personal phone directories with names and contact details of patients are nowadays stored in the database of the Unified Communication Server and that unauthorized access to that server would mean unauthorized access to a list of customers, phone numbers and related data? The impact of this could be enormous and for the clinic it could actually mean bankruptcy.
One could say that such a scenario is not likely to become reality since voice communication nowadays is not only more advanced, but is also secured. Indeed, enterprise desktop phones can be secured from unauthorized access. But unfortunately, in general log-in procedures to desktop telephones are very often not so user-friendly and people tend to forget to log-out at the end of the day in order to save themselves from another complex log-in procedure in the morning. As a result, many advanced telephones are ‘open’ day and night, providing easy access to personal data of customers and patients. This is the reason why, since Personal Data Protection has got more attention, RSconnect also receives more questions about this topic. We are glad that with our Active Login Manager we can help companies to close this unknown shortcut to sensitive personal data. Please contact me if you want to know more about the new EU Data Protection rules and the impact on your unified communications solution.