EU Data Protection Regulation – a square peg in a round hole?

There are few things more frustrating, metaphorically speaking, than seeing square pegs getting persistently hammered into round holes. It’s clear that the solution is wrong, but you nonetheless continue to see greater and greater force applied to the issue, until eventually, it’s realised that an error has been made. It’s a well-worn analogy, but upon considering the EU’s proposal for a new European Data Protection Regulation, it’s one that begs the question – do the EU’s lawmakers know the difference between a round and a square peg when they see it?

Of course, we can all agree that efforts to protect personal data and the online rights of citizens are, in general, a good thing, but what happens when the regulations do nothing to address the source of the problem or encourage best practice?

For me, it’s an absolute no-brainer that any new regulations should contain a tacit acceptance that technology is evolving too fast to be regulated in the traditional way, and need to be structured accordingly. Clearly, the EU’s regulations are aiming to provide the right to data protection, as well as the free flow of data. But even so, it seems to me as though trying to enforce this by setting rules and penalties around data loss is very much closing the stable door after the horse has bolted.

Instead of looking to increasingly complex regulation, perhaps companies need to take a deeper look at the root causes of data loss, particularly when applications are deployed in the cloud, and maintain control of their own data? In doing so, perhaps they may even find that their principle challenge lies, not in compliance with these regulations, but in ensuring that they are able to maintain control over their applications and the data they use?

To achieve the required level of control, it seems clear to me that organisations must make security a key focus by building and implementing secure, risk-free business applications that are fully compliant and which protect data. Any attempt to 'bolt-on' security as an afterthought will often fall short of the mark and can be even more time-intensive, particularly when it comes to later maintenance.  Instead, data protection must be a consideration through every stage of the application development process.

The right to the protection of our personal data is one that is fundamental, not only to the way businesses function, but also to our rights as human beings. Although the EU’s regulations are designed with the best of intentions, it’s clear that this is an exercise that needs to command more attention on a global scale than a simple set of edicts. If data security is to be achieved, it must be a fluid journey, not a fire-and-forget exercise. As part of the journey, it will be the role of every single stakeholder in the process to incorporate secure management at the heart of everything they do and every service they provide, to ensure that we see fewer square pegs in round holes, and more realistic ways of staying in control of our data.