Daragh O Brien contributed to a 2014 whitepaper by Neopost on the forthcoming Data Protection Regulation.
His €0.02 on the forthcoming changes are that:
- Even if an organisation doesn’t have the scale (250 employees) to warrant a formal “Data Protection Officer”, pragmatically it must be someone’s role to be responsible for the governance of personal data covered by the Regulation
- Privacy Impact Assessments will be largely optional, but he’d consider them “recommended practice” for any organisation to make sure that you don’t inadvertently breach the new regulations
- Two years is a very short time to shift culture in organisations from a reactive compliance focus to a risk-managed way of looking at Data Protection. Start now or risk falling foul of the Regulation when it does arrive.
- The need to have a documented system of governance, and evidence of its effectiveness, should be a major wake up call for organisations.
- Non-EU based organisations need to assess the impact on their operations of the supra-jurisdictional effect of the legislation (but hey, Sarbanes-Oxley had similar supra-jursidictional effect so suck it up and get on with addressing the challenges!)
There is a lot still up in the air with the EU data protection regulation, with questions still outstanding on the One Stop Shop concept, the differences between Pseudonymised and Anonymised data and the controls required over each, and a host of other niggles, but the broad brush strokes are there. Hiding one’s head and hoping it will go away is a negative sum strategy. Combining EU Data Protection obligations with broader Data Governance initiatives and Information Quality objectives creates a strong win-win in the organisation and will lead to a strong positive-sum game.