The EU Data Protection Act (2015)

What is the current Data Protection Directive?

The Data Protection Directive first came into place in 1995 to ensure the correct handling of personal data within the EU.1 Since then, data protection legislation in several countries outside of the EU have been approved to ensure that data could be transferred between them. One of these, the 1998 Safe Harbor Privacy Principles, was developed in the US and then adopted into the directive in the year 2000.2

What changed?

In October of 2015, the Safe Harbor decision was deemed invalid due to misuse and the lack of control over data stored abroad. Max Schrems, a young student from Austria, challenged the Irish “Data Protection Commissioner” (DPC) to audit Facebook over what data is stored where and what data is passed to US authorities.3 After Edward Snowden’s testimony regarding large scale snooping by the American National Security Agency (NSA) and others, it had become clear that data was in many cases not safe or private anymore. At first, the Irish high commission dismissed Mr. Schrems’s case; but the case was then brought before the European Supreme Court where it was ruled in favor of Mr. Schrems. The Safe Harbor Privacy Principles were thereby deemed… invalid!4

Who will be influenced by the new Data Protection Act?

Any company that is dealing with private data and user information will be influenced by this act. Obviously, the biggest impact will be in the Public and Finance sector. But companies with direct online sales, web applications and apps that collect personal data will have to align themselves with the new Data Protection Act.

What now?

The new Data Protection Act is in its final stages. It is expected to be published by the end of 2015 and enforced by the end of 2017/beginning of 2018. The main areas affected are:

  1. New standards on the hardware side: firewalls, routers, ect.
  2. Data storage locations.
  3. User data access and flow. (Who has access? What do they need it for? Is the customer’s “Data Ownership” respected? Is the data kept up to date?)

Besides these areas, there are a two new important points to remember for a company looking to comply with the new Data Protection act:

  • Data Protection Officer Requirements: Any company that processes data related to, for now, 5000 or more “data-subject” individuals,5 or that have more than 250 employees,6 will need to have a trained and appointed, expert “Data Protection Officer” (DPO).
  • Increased Fines: Fines for NON-Compliance will rise dramatically. In Denmark, fines are normally under 25 000 Danish Kroner. After the European Data Act is enforced, this number could easily go up to 2–5% of the company’s yearly global turnover.7

The new data act will not only be applicable to companies dealing with Social Security numbers, names and addresses; private data has also been defined to include credit card details, photos, e-mail addresses, GPS information, IP addresses… any and all data that can be associated with or lead to the identification of a person!7

How can Identity Management (IDM) help your company comply with the new criteria found in the EU Data Protection Act?

Henrik Syskind-Pedersen, a lawyer at the Bech-Bruun lawfirm and expert in personal data and Intellectual Property Rights (IPR) compliance, was recently interviewed by our partner, SoftwareOne. Acording to this interview, the important thing to remember is that all companies in scope must document and control the data-flow of all their bits of identity information while making sure the customer has ownership of their own data.

As a company, you have until the start of 2018 to establish documentation and control of your data flow. Who, what, when, where and why your company is processing personal data must be kept track of 100%. This is, in reality, Identity Management. And that is why IDM365 is a natural solution to make sure you can comply with the Data Protection Act. IDM365 can integrate with your systems and applications and can act as Single Point of Truth for identities across all systems:

  • Treat all users as 1st class identities to make sure that all private data (data that can identify the user) is treated with the correct security measures.
  • Allow all your identities, such as users, clients, machines, vendors, customers, etc., to know and be able to update and control their information.
  • Document and control the flow of identities within the organization including which systems contain identity information and why.
  • Receive compulsory breach notifications within 24 hours to notify the DPO and the Data Protection Authority.
  • Control who can view and manage identities through Identity and Access Management (IAM), a central part of IDM365.
  • Base personal data in local servers according to a user’s location – thereby satisfying local standards and laws.

IDM365 has the set up for your company to handle identities in a way that complies with the new EU Data Protection standards. The standards will be enforced throughout the EU, and the roughly 4400 companies currently under the US Safe Harbor umbrella will need to revise their data transfer strategy.8

Call us for advice or send us an email. Our contact details can be found on our IDM365 Contact Page

More information on IDM365 and MIM can be found here.


  1. ^ EU Directive 95/46/EC – The Data Protection Directive
  2. ^ U.S.-EU Safe Harbor Overview
  3. ^ Irish court hears Facebook data privacy challenge
  4. ^ Deloitte Privacy Newsletter Oktober 2015 (in Danish)
  5. ^ Does your business need a “Data Protection Officer?”
  6. ^ Data Protection Officer
  7. ^ Styr på persondata? (in Danish)
  8. ^ EU Data Transfer Path for U.S. Companies Invalidated