I have been reading about the proposed new EU Regulation on Data Protection and a lot of people seem to be highlighting a lot of what they perceive to be negatives within it, whereas I see them as being positives.
Jail terms for data misuse, absolutely!! Heavy monetary penalties against large corporations for failure to comply? Bring it on!!
There has not been much mention however, of the switch to explicit consent to process data, something that should be a common right of all individuals, rather than have these shoddy and shambolic clauses currently in place where you are not sure what you have signed up to. Couple that with the requirement to state clearly and in common language, what the data is to be used for and who it will be shared with makes processing much tighter and more controlled.
Another major area is the increased protection for children, which under these proposed Regulations, is currently planned to be someone who is under 18, and the requirement for parent/guardian sign up for under 13s.
There is also the requirement for Data Processors to be held as accountable as the Data Controllers when handling data and the requirements to have policies and processes in place that define what and how data is being used and disaster recovery plans built in. So far so good, these are all very positive steps and I welcome every single one of them.
On the downside however are the dropping of the requirement to notify, that could cause problems for the ICO revenue stream and also lead to unlicensed data misusers!!
Then there is the increased Data Access Request activity. This is the real downside of the proposed Regulation as it drops the fee (nobody will really miss that anyway) but it also reduces response time to one month rather than 40 days and the increased amount of extra information that will have to be supplied, such as length of time the data will be held, telling the applicant about their rights on erasure and correction and advising them that they have a right of complaint to the ICO. This is not so user friendly but when you look at the bigger picture, how many DSARs actually take 40 days? In my experience it is about 0.2% with the majority being completed in less than a week.
On to the right to be forgotten, this is new and allows for the individual to apply to have their data erased where it may just be stagnant or if there is no real rationale for keeping it. The data controller will need to advise all other users of those data that they will need to comply as well so there will need to be a log kept of who data are transferred to. I think this is aimed more at the Social Media sites where ‘information’ it used to profile people applying for jobs and that old photo of the lads on holiday with buckets on their heads may not be so good, therefore the applicant can ask for it to be removed as it is both excessive and probably out of date..
Just a few thoughts there to chew over, happy to discuss with anyone who wants to.