New EU Data Protection Proposals Three Years on: Playing Catch up with a Changing World

By   ISBuzz Team
Writer , Information Security Buzz | Feb 09, 2015 05:04 pm PST

In January 2012, new EU rules designed to create a secure and unified landscape for the collection, use, and retention of data were announced. The changes in regulation were based in part on consumer research undertaken two years earlier[i] and aimed to reflect growing concerns around online data privacy, the evolving digital landscape, and globalisation.

The new rules would give individuals greater control over their personal data, make businesses more accountable for that data – with stricter requirements for protection and penalties around data breaches, for example – and commit EU member states to a set of consistent, legally-enforced regulations and rigid definitions. Companies outside the EU would have to abide by these rules.

Free Cyber Security Training! Join the revolution today!

But three years is a long time in the rapidly evolving digital universe, and it is likely to be another year before the proposals are finally agreed upon. Consumer attitudes and behaviours have changed significantly since 2012, let alone 2010 when the research was undertaken. Moreover, new tools and technologies have transformed the way data can and is being used by business.

For example, over the last few years, new digital marketing tools have entered the market that can capture, track, profile, target and personalise individuals more effectively than ever before. They draw on the cloud of context, location, browsing and the behavioural data consumers now generate with every digital interaction. In such a complex, data-rich landscape, it will be a tough ask for businesses to seek and obtain ‘explicit consent’ from each consumer as demanded by the proposals.

The rise of e-health applications, personal lifestyle monitoring, cloud computing (where personal data could be held anywhere in the world), and of course the internet-of-things are further transforming what data can be collected and how it is used. BMW recently reported that it is under growing pressure to release the data collected by its connected vehicles, including information on individual car performance, speed, navigation, and even its current occupants.[ii]

With such technology-enabled, data-driven services entering everyday life, consumers are becoming more complacent about data use. Our own European research[iii] found that 88 per ent of consumers say they now deal with so many organisations, both online and offline, that they don’t know who holds what information about them. Three quarters (72 percent) are not convinced that the benefits of having their information deleted are worth the bother of getting it removed.

However, such tolerance is not universal. There are areas where data privacy concerns are rising sharply. The widely reported NSA investigations, growing cyber-threats and invasive marketing leave many consumers feeling vulnerable and angry about how their personal data is gathered and put at risk.

In short, connected consumers are setting their own standards for acceptable data privacy. Studies show people are prepared to reveal more information to the organisations they trust.[iv] Often these are the businesses that have effective data security and privacy standards in place. As industry analyst Forrester says: “in the battle to win, serve and retain customers, data security and privacy have become competitive differentiators.”[v] 

Companies may be better off responding to the evidence of such consumer behaviour than waiting for the legislation to be finalised before deciding how to prioritise and protect the use of personal data in their business.

This is even more important because during the course of the last three years, a number of landmark events have meant that, in the absence of the new legislation, other entities have started to make important data protection decisions. These include the May 2014 judgement against Google on the ‘right to be forgotten,’ a cornerstone of the proposed regulation.

There is a great deal that is valuable, and much needed, in the new proposals. They will ensure consistency across the 28 European member states and with organisations outside the EU that collect, store, or process European data. The rules seek to build a strong framework around the use of personal data in research and the need for ‘anonymising’ such data. Furthermore, they aim to ensure that definitions for things such as ‘data consent,’ ‘data portability,’ the ‘right to erasure’ and ‘data breach notification’ are universally agreed, understood and implemented.

Organisations need to prepare. Iron Mountain has published a business advisory paper to mark World Data Protection and Privacy Day[vi] that we hope will help organisations to grasp the full implications of the new EU data protection regulations and understand why they matter. Not just in 2016 when they are finally agreed upon and implemented; but right here, right now.

By Sue Trombley, Managing Director in Professional Services, Iron Mountain

About Iron Mountain

Iron-Mountain-1Iron Mountain Incorporated (NYSE: IRM) is a leading provider of storage and information management solutions. The company’s real estate network of 64 million square feet across more than 1,000 facilities in 36 countries allows it to serve customers around the world. And its solutions for records management, data backup and recovery, document management and secure shredding help organisations to lower storage costs, comply with regulations, recover from disaster, and better use their information for business advantage. Founded in 1951, Iron Mountain stores and protects billions of information assets, including business documents, backup tapes, electronic files and medical data. Visit for more information.



[iii] The research was conducted by Opinion Matters for Iron Mountain, February 2014. Opinion Matters surveyed 1,257 office workers who work in manufacturing & engineering, legal, financial, pharmaceutical or insurance from the UK, France, Germany, Netherlands and Spain. The research was carried out between 10/01/2014 and 22/01/2014.

[iv] 50 per cent of UK of consumers will share more personal information with a brand they trust. One Poll survey of 2,000 UK online shoppers aged 18 to 55+, conducted online on Thursday 14 and Friday 14 August 2014.


[vi] An opportunity to plan and manage the impact of legal change

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x