In 1980, the Organization for Economic Cooperation and Development, or OECD, established frameworks to protect privacy and personal data. From then until now, we have experienced several profound changes in legislation, notably the EU Data Protection Directive. Now in 2018, the General Data Protection Regulation, or GDPR, will begin to take on its true value, as May of this year will be when the adaptation period will be over.
The first moves toward a data protection law
The development of the OECD Guidelines, stemming from the need to adapt the already obsolete OEEC, was the first step to committing the thirty-five participating countries to mutual respect and clarity in the transfer of information.
As the importance of the Internet and data grew and became global, the OECD guidelines established the first comprehensive personal data protection system in all its member states.
These guidelines were based on eight principles to ensure that the interested party was notified when their data were collected; that this data was used for the stated purpose and for nothing else; that, in addition, these purposes were defined at the time of collection; that your data would not be disclosed without your consent; that the data record be kept secure; that the interested party be informed of everything; that they could access their data and make corrections; and, finally, that the interested party had at their disposal a method to hold the data recorder accountable for not following said principles.
And then came the data protection framework
In 1995, it was time to update the regulation of personal data and its management. Directive 95/46/EC of the European Union, also known as DPD, or Data Protection Directive, was a step forward that included the eight OECD guidelines and extended the application in a context where privacy was much more important.
But the fundamental change was in the legal section. Specifically, the OECD guidelines consisted of the Council’s recommendations regarding the guidelines that govern the protection of privacy and the cross-border flow of personal data and, therefore, non-binding.
Directive 95/46/EC changed this aspect, providing more concise definitions and specific areas of application. Although the directive itself is not binding for citizens, the member states had to transpose the local directives before 1998. This modification was also intended to create an administrative homogeneity and an equal legal framework for all member states.
Adopting the GDPR
Despite the considerable efforts involved in the implementation of the Data Protection Directive, in just a decade the progress proved to be insufficient. One of the main criticisms of the previous directive was the limited control of the interested parties over their data, which includes their transfer outside the European area.
This directly involves multinationals and large companies that were able to take advantage of the deficient framework of the previous directive for their own interests. To resolve this, in 2016 the adoption of the General Data Protection Regulation, or GDPR, was approved.
Since then, and until May 2018, everyone has had time to adapt to the regulations. The most remarkable thing about the GDPR is that, unlike the previous directives, it does not require local legislation, homogenizing, once and for all, legislation regarding protection within the member states and companies that work with EU citizens’ information, inside and outside of this region.
Is your company ready?
The European Union foresees that the application of the GDPR will suppose sanctions of up to twenty million euros or 4% of turnover of the previous period for non-compliance. Now that we are in the final stretch, it is convenient to determine whether our company is prepared to meet the challenges.
All companies that collect and store the personal data of their employees, customers and suppliers residing in the EU are affected. This is important if we take into account that 80% of the data handled by the organizations is unstructured.
The increase of confidential data stored in an array of databases puts protection in the spotlight. Cyberattacks could lead to a serious sanction. Good practices in Data Security Governance are the key to mitigating these risks and ensuring compliance.
Luckily we have tools such as Panda Adaptive Defense and Panda Adaptive Defense 360, which have a Data Control module to help with such tasks. This tool is specialized in simplifying the management of this personal data since it discovers, audits and monitors in real time the complete life cycle of these files. And do not forget that keeping up with the GDPR is an active and meticulous process, but one which can be simplified and automated if with the right help. Don’t wait until May!