Yes, those are the lyrics of a song, but quite useful for my tale of being a Global Citizen. I have lived and worked in a number of countries and have done a number of things in all of them from working to studying to travelling etc. But, do I know what happened with my personal information that the government agencies, universities, stores, estate agents, employers, utility companies etc have of me? What has happened to all this wealth of data that I have left in my wake? Am I sure that all these records are safe or have been safely destroyed and how can I check or be certain that it is?
A number of years back I worked at a Financial Services organization where I headed up the outsourcing of our global transactional print program. The program led me around the world, but it started in the UK where I was based. Of course this is where I came across the UK Data Protection Act (DPA) and had to understand how it can and should be applied in order to specify to our outsource partners what we could accept they do with our customer data etc. A mine field is a mild way of saying this. I then did the same for the north and South America and the Far East and each time new rules and regulations had to be understood, considered and applied in order for us to make the right outsource decision. Needless to say the Information Security Risk, Compliance and Legal teams and I were spending hours at a time working with the regulations and regulators to get a full and complete understanding of where the regulations are firm and where we could have a bit of wiggle-room to do what was best for our customers and our organization.
That was a few years back and since I was involved with this program the new EU General Data Protection Regulation (GDPR) has been drafted. I urge all who are involved in handling EU citizen data to read the article published in the Law Society Gazette dated Feb 8th, 2016 by Ibrahim Hasan. This is a very detailed article and gives and well worth the read.
The GDPR will come into force by 2018 and will replace all data protection legislation existing in all EU member states. The GDPR will apply to any organization offering goods and/or services and any organization who monitors the behaviors of EU citizens. The Legislation makes organizations, if they are processing EU citizen’s data, directly responsible for data protection compliance whether they are based in the EU or not.
The Penalties organizations found to be in breach of these regulations could have fines of up to 4% of annual global revenue or €20 million, whichever is greater imposed upon them. Organizations have the time to become compliant. Forewarned is forearmed because ignorance of the law excuses not.