Somewhere in the great big cloud out there, companies have data on all of us. Things we do, places we go, our choice of shampoo, the websites we browse. As often as we click the option for our data to be removed or not to have it collected, a simple fact of twenty-first century life is that data is everywhere and all around us. As a result, we live in a world where there’s a fear of data and the misappropriation of our data, whether that’s our Gmail password, credit card details, or more private and vital information.
The volume of our personal data increases day-by-day, but also so does our own storage of that data as firms and organisations. With security and legal systems in place to protect both the individual and the data collectors and storers, it’s good to know our rights and entitlements.
A brief guide to EU data laws
As a European company dealing mostly with European clients, Viur Data is directed by EU data laws, so let’s take a quick run-down on what’s happening on a European scale.
On April 27th 2016 the European Commission’s General Data Protection Regulation (GDPR) was adopted across the European Union to replace the previous Data Protection Directive. With a two year transition period, it will come into force on 25 May 2018.
The older Data Protection Directive was created to regulate the growth of personal data within the EU, and is part of the Union’s privacy and human rights law. The new European Data Protection Regulation aims to align current data protection laws across all EU member states, and being a “regulation” rather than a “directive” means it does not require implementing legislation to be passed by EU member state governments and will be directly applicable.
The regulation applies when the data controller or the data subject is based in the EU, and also, very importantly, relates to any organisation based outside the European Union processing the personal data of EU residents. According to the European Commission:
personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
For EU businesses and organisations that deal with the United Kingdom, the upcoming Brexit withdrawal of the UK from the European Union will mean a new set of laws and regulations will be implemented and have to be taken into consideration, but for now must keep up to date with the increasingly tough and complex European data protection regulations. The new, stricter legislation means cloud customers and cloud providers face harsher data security requirements as the default privacy settings must be set at a high level under the new directive.
Under the GDPR, reporting of a data breach is not subject to any de minimis standard and breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach (Article 31), with individuals notified if adverse impact is determined (Article 32).
Sanctions imposed include written warnings in first and non-intentional non-compliance situations, followed by regular periodic data protection audits; A fine up to 10million EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater; And in some circumstances fines of up to 20million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The so-called Right to be Forgotten has been replaced by a more limited Right to Erasure. The data subject can lawfully request erasure of personal data on a number of grounds including non-compliance with article 6.1 (Lawfulness) where the legitimate interests of the controller is overridden by the rights of the data subject.
A brief guide to US data laws
Within the United States there is a lack of high-level legislation for data privacy and relatively slack regulation. Access to private data can be obtained quite easily, particularly by potential employers and the industries whose activities come under the financial regulator. However, there is no law regulating the acquisition, storage, or use of personal data in the U.S., even if the data was collected without the subject’s permission. The few exceptions to this (non) rule include several Federal bodies and issues that come under the Children's Online Privacy Protection Act of 1998.
Very few U.S. states recognise the individual's right to privacy, with one key exception being the state of California whose legislature aims to protect the right to privacy. For example, operators of commercial web sites that collect data on California residents need to include their privacy policy on the site.
There is an arrangement by the United States Department of Commerce and European Commission for U.S. companies to comply with E.U. directives, easing relations between U.S. organisations and their European partners.
Global data problems and solutions
There is no one single global data directive or set of laws, with the levels of privacy and ownership varying from continent to continent and country to country, so it pays to keep tight reins on the data you’re collecting and to use only the most secure platforms to chart the ebb and flow of your information. Viur Data, for example, works to the highest standards of safety and security to make sure that your data remains where it’s supposed to be, and with whom it’s supposed to be. With the increase in global names such as Dropbox, Yahoo and Amazon falling victim to piracy raids on their data, exposing and risking their users, it pays to use a dashboard you can trust!
In Part 2, discover how Viur Data ensures the complete security and safety of your information.