A current hot topic in the world of online technology and social media is that of data protection and the integrity and security of our personal online information. Whilst this has always been an important area – and one that has been regulated to some extent by the Data Protection Act 1998 – a number of high-profile cases relating to personal data breaches have made many online users examine the codes of practice that online enterprises work to when storing, managing and transferring their personal information. Such considerations are especially pertinent to the legal industry, given the highly sensitive nature of information that will be stored.
Specifically, a big change over the past 10-plus years has been the trend in document storage, with management moving from hard copies, discs or memory sticks to cloud-based storage – essentially, a way of storing and managing documents and data online. Naturally, this method has a number of advantages that are appealing to users. There are fewer space and size restrictions, meaning that we can store high volumes of data or larger-sized files easily and in the same place. What’s more, cloud storage offers an ease of accessibility that means that users can access their data quickly and easily, even on the move, by simply using identification requirements or passwords – and thus dispensing with the need to carry around physical storage devices. In today’s world of instant communication, this has proved to be a very appealing feature of cloud-based storage.
However, the picture isn’t as perfect as it first appears. Cloud storage has been under fire for failures to protect the private data that it houses, and users are demanding more assurances on how their data is looked after. In response to this feedback, a set of new, Europe-wide personal data regulations are due to come into force in May 2018, called the EU General Data Protection Regulation (GDPR).
So how do these new regulations provide more protection for the data of online users? There are a couple of key changes which many hope will go some way towards providing greater security and peace of mind. The first crucial area relates to consent, as companies will be required to keep robust records of the consent that users give to store and use their personal data. However, consent can be a difficult term to define, and these regulations place much more of an emphasis on what is known as “active agreement” rather than the passive act of a pre-ticked consent box. Individuals must also be allowed to quickly and easily withdraw their consent at any time without suffering any unwanted consequences.
Secondly, the regulations put a greater onus on companies to prevent and report data breaches. If a breach cannot be avoided altogether, it must be dealt with swiftly and with the least possible impact on individuals. Thus the GDPR stipulates that companies inform the appropriate parties and authorities of a data breach within 72 hours, alongside a plan on how to deal with it and minimise its impact.
Ultimately, the guidance given by the Information Commissioner’s Office (ICO) entreats online data users to ensure not only that the cloud service with which they choose to store their personal data complies with the current Data Protection Act but also that it will be fit for that purpose under the new regulations set to come into force next year. Basic security housekeeping tasks for users, such as changing passwords regularly, considering the type of data you hold on cloud-based services and taking personal steps to ensure that nobody else has access to your user details, are prudent ways to play your part in maintaining the privacy and integrity of your own data.