Category Archives: EU

data protection, EU, News & Analysis, Policy and Regulation, regulation

75% of apps not compliant under EU data protection rules

Research from Netskope has claimed more than 75% of business apps lack key capabilities to ensure compliance under EU General Data Protection Regulation.

The company tracked 22,000 apps of which three quarters failed to meet minimum requirements of the EU, falling down in areas such as deleting personal data in a timely manner or violating data portability requirements.

The companies who have not met the required standards now have just under two years to ensure compliance, when GDPR comes into play in 2018. Failure to meet the criteria will see a company fined up to $22 million or up to four percent of annual worldwide revenue, whichever is greater.

“The shift to the cloud presents an increasing complexity and volume of security challenges for enterprises, including regulations like the EU GDPR,” said Sanjay Beri, CEO of Netskope. “With the deadline for compliance looming, complete visibility into and real-time control over app usage and activity in a centralised, consistent way that works across all apps is paramount for organisations to understand how they use and protect their customers’ personal data.”

The number of sanctioned apps containing malware increased from 4.1% to 11% in the period between reports. More of a quarter of the instances of malware was detected in files that had been shared with others within the organization. In terms of cloud data loss prevention, cloud storage applications accounted for 73.6%, with Webmail coming in at second with 22.1%.

data centre, data protection, data residency, Datacentre, DropBox, EU, News & Analysis

Dropbox opens Hamburg office to reduce US/EU data concerns

Dropbox GermanyDropbox has announced the opening of its latest European office, branching into the German market ahead of plans to open a new data centre in Europe latter in the year.

The company has answered concerns from European customers regarding the transmission of data across the Atlantic by committing to hosting their data within the EU; a region which the company claims is generating the majority of recent growth. This commitment has also been backed up with the company opening new offices in Dublin, London, Paris and Amsterdam, in addition to Hamburg.

Data residency has been an issue for European customers for a number of months since the Court of Justice of the European Union declared Safe Harbour void last October. Since then, there have been a number of efforts to sooth the relationship between the US and the EU, though the issue still remains contentious and newer drafts Safe Harbour have been criticized by various European quarters.

As Europe represents a healthy growth region for the Dropbox, it would appear the team are not prepared to wait for the EU/US data storm to blow over. Opening a new data centre in Germany has the potential for Dropbox to avoid the repercussions of the long-standing dispute.

“From manufacturing to professional services to healthcare, industries in Europe and around the world are discovering the benefits of increased collaboration on Dropbox,” said Thomas Hansen, Global VP of Revenue at Dropbox. “And the opening of our Hamburg office is just a part of our European commitment.

“From co-working spaces to corporations, people bring Dropbox to work, and adoption in Germany has been phenomenal. The top three cities in terms of Dropbox signups are also the largest: Berlin, Hamburg, and Munich. But Karlsruhe and Dresden are the real hotspots when measuring users per capita.”

As with other freemium business models Dropbox has reportedly found difficulties in upgrading customers to the paid-for services. The company launched a new relationship with Adyen last year to offer localized payment models in 12 European countries, build around a direct debit payment mechanism, a more popular model in the European markets, as opposed to PayPal or credit card models.

data protection, EU, Europe, Opinion, Policy and Regulation, regulation

What happens to EU General Data Protection Regulation if the UK votes for a Brexit?

EuropeBusinesses warned not to give up on data reforms just because UK could quit Europe

As the UK prepares to vote on whether to leave the European Union, businesses are being warned not to give up on data reforms inspired by the forthcoming EU General Data Protection Regulation (GDPR).

Businesses across the country have been studying implications of the new Regulation, due to be in force in May 2018, which aims to create a ‘one-stop shop’ for data protection across the European Union.

Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data be deleted or edited. Many businesses will also be required to appoint a Data Protection Officer.

However, the Brexit vote opens up the possibility that the UK could be out of the EU by the time it comes into force.

John Culkin, Director of Information Management at Crown Records Management, said: “It would be tempting for businesses to think that if the UK leaves the EU this regulation would not apply. In fact, that isn’t the case. Although an independent Britain would not be a signatory of the Regulation, in reality it would still be impossible to avoid its implications.

“The Regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses here would be unaffected.

“The same applies to data breaches involving the personal data of European citizens. So it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it.”

Even if the UK votes to leave the EU, data in Great Britain & Northern Ireland will continue to be regulated by the current Data Protection Act, which was passed in 1998.

A spokesperson for the Information Commissioners’ Office (ICO), an independent body set up to uphold information rights, said: “Although derived from an EU Directive, the Data Protection Act was passed by the UK Parliament and will remain in place after any exit, until Parliament decides to introduce a new law or amend it.

“The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

Culkin believes there is a real danger that UK businesses will defer crucial reforms of their information management systems – just in case the Brexit vote in June changes the agenda. But he warns it is a big risk.

He said: “Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.

“There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure – no matter what happens in Europe in June. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications – no matter who imposes the fine.

“As for personal data, citizens, in the UK are only going to be more demanding about how their data is collected, stored and edited in future – the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.”

This a view shared by the ICO which will continue to ensure organisations meet their information rights obligations no matter how the UK votes.

A spokesperson said: “Ultimately, this is a decision for organisations based on their own particular circumstances. Revisiting and reassessing your data protection practices will serve you well whatever the outcome of the referendum. Investing in GDPR compliance will ensure an organisation has a high standard of data protection compliance that will enable the building of consumer trust.”

AWS, data privacy, data protection, EU, Infrastructure as a Service, News & Analysis, Policy and Regulation

EU data protection authorities rubber-stamp AWS’ data processing agreement

EU data protection authorities have rubber-stamped AWS' data protection practices

EU data protection authorities have rubber-stamped AWS’ data protection practices

The group of European Union data protection authorities, known as the Article 29 Working Party (WP29), has approved AWS’ Data Processing Agreement, which the company said would help reassure customers it applies high standard of security and privacy in handling their data, whether moved inside or out of the EU.

Amazon said its inclusion of standardised model clauses within its customer contracts, and the WP29’s signoff of its contract, should help give customers more confidence in how it treats their data.

“The security, privacy, and protection of our customer’s data is our number one priority,” said Werner Vogels, chief technology officer, Amazon.

“Providing customers a DPA that has been approved by the EU data protection authorities is another way in which we are giving them assurances that they will receive the highest levels of data protection from AWS. We have spent a lot of time building tools, like security controls and encryption, to give customers the ability to protect their infrastructure and content.”

“We will always strive to provide the highest level of data security for AWS customers in the EU and around the world,” he added.

AWS already boasts a number of highly regulated clients in the US and Europe, and has made strides to appease the security and data-sovereignty-conscious customers. The company has certified to ISO 27001, SOC 1, 2, 3 and PCI DSS Level 1, is approved to provide its services to a number of banks in Europe, and is working with the CIA to build a massive private cloud platform.

More recently AWS added another EU availability zone based in Franfkurt; it operates one in Dublin.

The rubber-stamping seems to have come as welcome news to some European members of parliament, which have for the past few years been actively working on data protection reform in the region.

“The EU has the highest data protection standards in the world and it is very important that European citizens’ data is protected,” said Antanas Guoga, Member of the European Parliament.

“I believe that the Article 29 Working Party decision to approve the data proceeding agreement put forward by Amazon Web Services is a step forward to the right direction. I am pleased to see that AWS puts an emphasis on the protection of European customer data. I hope this decision will also help to drive further innovation in the cloud computing sector across the EU,” Guoga added.