The Data Protection Directive (DPD) is a set of data security and privacy rules adopted by the EU in 1995. Some of the requirements contained in this Directive include allowing the correction and erasure of personal data on request, limiting the amount of collected data, forcing organizations to delete data that is considered no longer relevant, and obtaining consumer opt-in. This article will discuss these laws and the secure data destruction standards set by the EU.

Let us start by acknowledging the fact that the EU was among the pioneers in setting and enforcing majority of the privacy laws that are in use today. The DPD set by the EU had a definition of personally identifiable information that is fully protected by the law. Some of the information covered by DPD includes phone number, address, name, Internet-era handles and other standard identifiers.

More information on data destruction

Over the years, the interpretations of the original DPD has extended to include areas such as erasure of data on the Internet, cloud service providers, and the exporting of data outside the Eurozone known as the EU-US Safe Harbour.

But as time went by, the DPD started experiencing some issues. For instance, it did not fully address cloud processing, it was inadequately equipped to handle the unforeseen explosion in data gathering and storage, and EU countries were allowed to formulate and interpret their own laws based on the DPD.

For these reasons, a new set of privacy laws had to be formulated. These set of laws are known as the General Data Protection Regulation (GDPR). These new rules were approved in April 2016 and will replace the DPD. Companies have been given up to May 2018 to become fully compliant with the GDPR.

Some of the new items on the GDPR include requirements for notifying the authorities and consumers when there is breach, performing risk assessments under certain conditions, strengthening rules for data reduction, and documenting IT procedures. Also, the GDPR has the concept of extra-territoriality that will apply to companies handling EU citizen's data over the Internet without having physical presence in these countries.

Companies that will fail to comply with the GDPR will face a fine of up to 20,000,000.00. However, this fine may vary depending on some set of violations from as low as 2 to as high as 4 depending on the global revenue of the company.

Foundation Principles of DPD

The DPD is based on seven foundational principles. The principles are

1. Security

This principle requires that data must be handled with adequate security. This means that the company handling the data must put in place the appropriate organisational and technical measures to keep the data safe from unauthorised disclosure, alteration, loss, or destruction.

2. Restricted

The company must ensure that data is relevant and adequate. The data should not be excessive in relation to the reason it was collected.

3. Fairness

Data must be processed fairly and lawfully.

4. Destroyed when obsolete

Personal data must be stored for the period that it is relevant only.

5. Specific purpose

The reason for processing data must be specified and explicit. Also it should be processed for legitimate purposes.

6. Accurate

Data should be accurate and kept-up-to-date and errors should be rectified or erased.

7. Automated processing

No decision can be made from data processing based on automated processing of data that looks at personal aspects alone.