Update: June 28th 2015
Progress is being made.....slowly. Here is a link to the version proposed by the European Council
The new EU Data Protection regulation took another step on its long road towards becoming law. What does this mean for application design and security?
Originally proposed by the EU Commission in January 2012, the EU Parliament has now supported it (with lots of amendments to the original proposal). The next step on the long road is the EU Council of Ministers.
Who knows when/if this becomes law, but it is worthwhile being aware of it. It is long and complicated and will change.
What could this mean for application design and security? Here are some of the proposed amendments which may impact your application design and security when processing personal information of EU citizens. These are just the barest details based on the amendments proposed by the EU parliament. There is more information in the links below.
Article 15 - Amendment 78 - Right to Rectification and CompletionIn this amendment, the data subject can request that any information be corrected. For the application developer, this means that there should be some way to correct personal information that the application stores.
Article 16 - Amendment 79 - Right to ErasureThe data subject can request that their personal data be deleted. There are various conditions around this. Basically it means that application should have the ability to delete a user's information at their request.
Article 19 - Amendment 81 - Data Protection by Design and by DefaultThis is a core article from a security perspective. It talks about "protection by design", "risk", "entire lifecycle management of personal data from collection to processing to deletion".
Security of personal data cannot be an afterthought. It must be considered from the start of the application design.
Article 24 - Amendment 86 - Keeping of RecordsThis article essentially means that the application must keep an audit trail. It even mentions such items as "date and time".
Article 27 - Amendment 90 - Security of ProcessingThis is another one directly related to application security. The main clause states that the data controller or processor must:
"implement appropriate technical and organisational measures and procedures to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation."Again this clause mentions risk. The article itself lists a number of more detailed requirements covering such security measures such as access control etc.
- EU Press Release 12th March 2014 - Progress on EU data protection reform now irreversible following European Parliament vote