Back to index

EU data protection rules add tough new case management obligations

by Eskimo Commands | Posted in Technical Updates | 11 November 2015
EU data protection rules add tough new case management obligations

Did you know the biggest change to data protection rules for 20 years is imminent? The new laws will set in place robust new standards that must be followed by any organisation dealing with personal data.

Case management software can retain highly sensitive information related to cases, and software providers and users alike will need to take steps to ensure compliance with the new rules.  Here at Computer Application Services we are busy taking steps to make sure we are ready to fulfil the requirements.

The European Data Protection Regulation, once adopted, will become law in all 28 EU member states. It will give uniformity of data protection laws across all member states, instead of each country setting its own rules, and will significantly increase penalties for non-compliance.

It has been a lengthy process, first proposed in January 2012. If negotiations are successful, agreement on the draft regulation is possible in early 2016, meaning the Data Protection Framework would then come into force in 2018.

Despite still being a relatively long way off, businesses that work with personal data and use the cloud will need to take steps to prepare for changes of practice to meet the additional obligations and responsibilities. Privacy controls will need to be exceptionally strong, hard to by-pass and totally embedded in their system’s core functionality.

Under the draft regulations, there would be increased fines for non compliance, which could be up to 100 million euros, or 5% of a company’s annual turnover for some breaches.

Businesses will need to make sure their privacy policies and procedures are in order and up to date as data protection authorities will be able to ask for them at any time.

Any data breach will have to be notified to the relevant data protection authority, even if measures such as encryption are in place or the likelihood of harm is low. So a process of breach notification will need to be implemented.

A breach would be defined as any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. In the case of a breach, the data controller would have to disclose it to the country’s supervisory authority within 24 hours, if feasible.

If the breach is likely to “adversely affect the protection of the personal data or the privacy of the data subject”, the data controller must also notify the subject of that data without undue delay. Critics fear that this could result in a deluge of breach notices and unnecessarily cause anxiety in people who receive them.

There will also be a new “right to erasure” for individuals – also referred to sometimes as the right to be forgotten. This means firms will need a strategy covering data retention, destruction and storage.

Workpro case management software already includes the ability to mirror a company’s data retention and destruction policies in the workflow, and robust user access controls and data security are core features. However we are taking steps to ensure Workpro will fulfil all requirements under the new law.

Companies processing data in the cloud will be required to choose a service provider that gives sufficient guarantees to ensure the protection of the individual. The data controller must ensure that the cloud service provider uses security measures, and also that the processing conducted and the security measures used by the service provider meet the regulation.

In addition, the contract between the data controller and the cloud service provider will have to prohibit the provider from retaining the services of a third party without permission from the data controller. And after the termination of the contract, the cloud service provider will be required to hand over all data to the data controller.

There will be a requirement for greater security measures to be in place that are tailored to the personal data being processed and risk assessments will need to be carried out by both the data controller and cloud service provider, whereas currently service providers rarely know the nature of the data hosted by the service.

So there are a whole host of measures that are likely to come into force within a few years. It remains to be seen how tricky it is for companies to comply with them all. However, one thing is clear – data will never have been so secure.

comments powered by Disqus