A Dummy’s Guide to EU Data Protection Laws

EU Data Protection

As the digital landscape evolves at a breakneck pace, we know now that technology laws such as Moore’s law are living up to its expectations. The question is – are our civil and criminal laws really up to the challenge of safeguarding the integrity and privacy of data in this domain?

If the numerous corporate hacking cases and government spying scandals are anything to go by, governments and enterprises across the world are beginning to wake up to the reality of instituting a uniform digital data protection framework as the only way to effectively deal with these problems.

Ponemon Institute study estimated that the average cost per lost/stolen record due to a data breach is $188, whereas the average cost of an organizational data breach is estimated to be around $5.4 million. However, it was more concerning to see the lack of data protection accountability measures being taken to address this, which left a dangerous backdoor for potentially catastrophic data theft or loss incidents to run rampant in the future.

In light of this, the European Commission undertook the task of overhauling EU data protection rules to help secure the personal data of citizens and corporations based in European Union territories.

In response to mass surveillance cases (infamous NSA surveillance), the Civil Liberties Committee reiterated the need for stronger safeguards for data transfers to non-EU countries along with a series of strict regulations to promote secure data storage and transfer practices.

This revitalizing directive finally takes into significant technological developments in social networking and cloud computing platforms to determine the right data protection and privacy policies.

The European Commission’s aim to create a pan-European law to reinforce the old patchwork of national laws is a great initiative for organizations since they do not have to face the headache of complying with the regulations set forth by multiple authorities.

On the other hand, many organizations take a lackluster approach to handling data breach incidents. They refuse to invest significant resources in devising a long-term data protection program, and tip their hats in contempt at the Information Control Officer (ICO) believing they will get away with a miniscule fine.

EU Data Protection Regulations are a big step forward in the field of compliance and risk management because they put the escapist brouhaha culture of data security on trial and define the vitality and repercussions of risk ownership like never before. It rightly shifts the spotlight from infrastructure-exclusive security to a more proactive, data-centric strategy.

How the GDPR (General Data Protection Regulation) Will Shake Up Data Industry Practices

In a world with increased decentralization of resources owing to the rise in private, public, and hybrid cloud computing players, the General Data Protection Regulation (GDPR) plans to unify data protection within the EU with a single law, and put the onus of security on everyone responsible for the management of the data cycle.

However, a recent survey conducted by FireEye focusing on the readiness for cybersecurity regulations in Europe, indicated that only 39percent were confident they had optimized their data protection to meet all requirements. For now, a quarter of respondents claimed that investment in new hardware and software infrastructure to fulfill the GDPR demands was the biggest challenge ahead of them.


Data-protection governance is the need of the hour as it drives businesses to take charge of their data policies, risk assessments, and control requirements, so that it elevates performance standards and bring in some much-needed accountability for their decision making. The GDPR is just a way to fast-track this change.

Now that you know about the necessity of this game-changing policy directive, it’s time to examine how the European Data Protection Regulation plans to shake things up in the information industry:


Coverage Scope

The GDPR covers all data controllers and data subjects based in the EU. It also applies to organizations based outside the EU that process the personal data of its residents.

According to the EC, the definition of personal data covers anything that points to their professional or personal life, including names, photos, emails IDs, bank details, social networking posts, medical information, or computer IP address.

There will be a Single Data Protection Authority (DPA) assigned to each company depending on where the company is located who will report to the European Data Protection Board. They must be appointed for all public authorities and companies processing more than 5000 data subjects within 12 months.


Although previous data processing notice requirements remain intact, they must also specify the retention time for personal data and provide their contact information to customers. The Privacy by Design and Privacy by Default clauses in Article 23 mandate that data protection protocols must be integrated into the business development process itself. All privacy settings must be set to high by default.

Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects.

Proof of Consent

Article 7 and Article 8 specify that data controllers must possess a valid proof of consent for processing data and acquire special permissions for collecting the data of children under 13 from their legal guardians.

Instant Breach Alerts

Article 32 says that any case of data breach must be reported to the DPA by the controller within 72 hours of discovering the issue so that all parties involved can be warned about the situation and take precautionary measures.

Severe Sanctions

Instances of first unintentional cases of non-compliance will be doled out written warnings by the DPA. As a result, organizations will also be directed to conduct regular data protection audits.In case of graver offenses, organizations may have to cough up a deadly fine up to 1,000,000 EUR or up to 2% of the annual worldwide turnover in case of an enterprise, whichever is greater (Article 79).

Right to Erasure

Article 17 empowers data subjects by giving them the right to request removal of personal data related to them on any one of a number of grounds, including cases where the fundamental rights of the data subject take precedence over the data controller’s interests and require protection.

Portability of Data

According to Article 15, users will also be allowed to request a copy of personal data being processed so that they have the freedom to transmit it to another processing system if needed.

On-premise private cloud solutions such as FileCloud help organizations to keep their data in servers within their firewall, while providing all the flexibility and access advantages of public cloud such as Dropbox. Additionally, FileCloud’s unique capabilities to comply with EU regulations, and features to monitor, prevent, and fix any data leakage across devices (Laptops, Desktops, Smartphones and Tablets). Learn more at www.getfilecloud.com

 Author: Prashant Bajpai

Image Courtesy  Stuart Miles, FreeDigitalPhotos.net