Data security developments under the General Data Protection Regulation

Data security developments under the General Data Protection Regulation

Kuan Hon, a consultant lawyer at Pinsent Masons and a senior researcher on cloud law projects at Queen Mary University of London, explores the latest data security developments under the General Data Protection Regulation. This blog is written in her personal capacity only.

There is political pressure to finalise the draft General Data Protection Regulation (GDPR) before 2015 is out. Proposed by the European Commission in 2012 to modernise the EU Data Protection Directive (DPD), GDPR would spell major changes regarding security as well as other matters. Its final text won’t be known until it’s agreed in “trilogue” between the EU institutions, and significant differences between the European Parliament (Parliament) and Council of Ministers remain in certain areas. However, its overall shape seems reasonably clear. The GDPR would become law directly in all Member States as from its effective date – probably 2 years after its adoption. UK Deputy Information Commissioner David Smith predicts June 2018, or end 2018 as “a more realistic prospect”. 2018 may seem distant, but it would behove organisations to start thinking about GDPR’s impact now so that they are in a position upon adoption to set in train the substantial legal, operational and risk management changes that will be required.

What is the current position on security under the Data Protection Directive?

Currently, Member States must oblige controllers to implement “appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access…and against all other unlawful forms of processing”, and “Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law” (Arts. 16-17 DPD). In information security parlance, these amount to measures at least to protect confidentiality and integrity, and indirectly availability. Controllers must ensure a level of security

Subscription Form

Latest Articles:

Already a subscriber? Login
RELX (UK) Limited, trading as LexisNexis, and our LexisNexis Legal & Professional group companies will contact you to confirm your email address. You can manage your communication preferences via our Preference Centre. You can learn more about how we handle your personal data and your rights by reviewing our  Privacy Policy.

Access this article and thousands of others like it free by subscribing to our blog.

Read full article

Already a subscriber? Login

About the author: