During a recent NetApp roundtable on the incoming EU data protection rules, the conversation soon homed in on how new rules around the 'right to be forgotten' will affect how enterprises must handle data
At a recent NetApp roundtable on upcoming EU data protection regulation reform, talk among the resellers present quickly turned to one controversial aspect that could have far-reaching consequences for their customers: the right to be forgotten.
It was announced on 15 June that all 28 members of the EU's council had agreed to introduce a single set of data protection laws that cover the whole of Europe, with the aim of implementing the new regulation by early 2018.
The European Commission said that with the regulation as it is, "internet companies and start-ups cannot take full advantage of growth opportunities online", and just seven per cent of SMEs currently sell cross-border.
The commission continued: "A fully functional digital single market could contribute €415bn (£289bn) per year to our economy and create hundreds of thousands of new jobs."
But the roundtable - attended by NetApp partners including Node4 and Q Associates - was largely dominated by the right-to-be-forgotten legislation, which is set to be strengthened under the new regime.
This could be a challenging prospect for enterprises because if removal was requested, most aren't set up to prove that all data related to a single person has been excised from their systems. In addition, many don't think it applies to them, participants of the roundtable agreed.
"The right to be forgotten is a terrifying prospect for enterprise"
From the channel's point of view, this opens the door for resellers to offer assistance to their enterprise customers, preparing a strategy not just for the right to be forgotten, but for the reforms as a whole.
Adam Ryan, head of cloud services at NetApp partner Q Associates, said: "At the moment it is all about getting sound knowledge about what it means and what the ramifications are. When I look around our client base, there is a varying degree of awareness and how applicable the regulation is to them."
Node4's head of sales south, Steve Denby (pictured), warns that "the right to be forgotten is a terrifying prospect for enterprise", and that clearing out every trace of an individual's data is a near-impossible task. "Nobody can undertake that, it will bankrupt them," he said.
"Unless someone pulls the plug, then data will never disappear completely," he added. "I think services and products need to be reviewed and altered to take the new law into consideration. So solutions need to be designed around the consumer so that you can slice and dice the data and remove it in such a fashion. I think it is going to be a challenge for the channel to deliver solutions that allow the enterprise and SME market to do that easily."
Businesses that are not au fait with the legislation perhaps think it is of more concern to IT players such as Google or Facebook, and don't fully understand that the scope is considerably wider, according to Ryan.
"The migration of data into archives and frontline data, plus the split of where that is all held - to have the ability to show through all that, that certain data is completely gone? Good luck with that," he added.
In context, this is a big ask of enterprises, but one that should be taken seriously, attendees said. If a business does not abide by these rules, no matter how complex they may seem, there will be a price to pay. In some cases a fine of two per cent of a company's yearly global turnover or €1m - whichever is greater.
NetApp's director of technology and strategy, Matt Watts, voiced his concerns, saying: "I think of a datacentre as a kind of city where the apps are shops that you go into. Every time you work within a datacentre, you are leaving traces of yourself wherever you go. How do you consolidate that when someone says, 'I want all of it gone'?"
But the reforms will have the benefit of making conducting business within the EU a far more attractive prospect due to the increased protection and ease of operating under one authority, Watts added. However, he insisted that companies must be careful with the data they are holding. "Information about people is a product, so we need to be treating that information as something with significant value. You don't want someone outside Europe tapping into our data and generating revenue from it," he said.
"This legislation could make us more competitive on the world scene. It will attract customers because of the protection we are offering."
Watts advises companies to be more aware of what data they are collecting about someone as well as what it is being used for. If it is contractual (for example, records of transaction in a retail environment need to be kept for six years in the UK, as stated on the government website), the regulation decrees that you do not have the right to be forgotten.
In fact, the rule says this is not an absolute right, and in cases where there is reason to retain such data, the right to be forgotten does not apply. It also includes the provision that it does not, whatsoever, encroach on the freedom of expression and information, such as in the press.
"Information about people is a product, so we need to be treating that information as something with significant value"
To help enterprises prepare for any upcoming changes, Q Associates is running a number of operational readiness and alignment programmes, Ryan said. In these programmes customers will be told what they need to be aware of, and how to set up protocols to deal with it.
Denby ended on a positive note, saying: "Moving forward, I think it is a good idea. I wouldn't say it is a terrifying prospect in terms of the point of doing it; it is executing it that is terrifying."
What the law is now
The data protection regulation as it stands is based on the 1980 OECD (Organisation for Economic Co-operation and Development) "recommendations for the Council concerning guidelines governing the protection of privacy and trans-border flows of personal data".
These recommendations are based on seven principles inscribed in the directive 95/46/EC, on the "protection of individuals with regard to the processing of personal data and on the free movement of such data" penned by the European Parliament in 1995.
The seven principles
- Notice: The subjects whose data is being collected should be notified.
- Purpose: The data collected should be used only for the stated purpose(s) and for no other.
- Consent: Personal data should not be disclosed or shared with third parties without consent from its subjects.
- Security: Once collected, personal data must be kept safe and secure from potential abuse, theft or loss.
- Disclosure: Subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
- Access: Subjects should be granted access to their personal data and allowed to correct any inaccuracies.
- Accountability: Subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.
What is changing
The reform first came about in January 2012 with the European Commission publishing two proposals for a new data protection regulation. The drafts contained the commission's desires to update the current framework, which aimed to give users more control over their data, and introduce one set of rules for the whole of Europe.
The framework will also be extended to include a guide to protect a person's data used by the police or in criminal justice organisations, and it has been proposed that a data protection officer is to be appointed by the EU to ensure the new rules are being adhered to.
What the reform means for businesses
- One continent, one law: The revised regulation will act as one rule book for the whole of Europe, meaning companies have to deal with only one law, as opposed to 28, regardless of where they are established.
- One authority: Companies will have to deal with only one authoritative body, with the aim of making it easier and cheaper to do business in the EU.
- Less red tape: Notifications to supervisory authorities, which represent a yearly cost of €130m for businesses, will be scrapped.
- Rule breakers: Companies will be fined two per cent of global annual turnover, or €1m (whichever is greater), if they do not abide by the new rules.
Data protection reform timeline
Jan 2012 - Publication
March 2014 - EU position
June 2015 - Council position
First half 2016 - Adoption
First half 2018 - In force