New data protection laws could cause pain for businesses

Sweeping reforms to data protection legislation could cause significant pain to businesses that fall foul of the law, warns Grant Taylor

THE NEW YEAR is expected to bring sweeping reform to the European Commission’s pan-European data protection legislation and has been heralded as the first significant update of data protection since 1995.

The most significant anticipated difference is that organisations will have just 24 hours to notify their respective supervisory authority of a breach – in the UK this would be the Information Commissioner’s Office (ICO) and, at present, is not actually compulsory.

Also, if the data breach is likely to adversely affect the protection of the personal data or privacy of the people concerned, then the organisation must also inform the Commissioner’s Office within a day. Again, this is currently not compulsory in the UK.

Thirdly, the penalties for severe failures in data protection could rise to 5 per cent of the company’s global annual turnover for serious failures. The ICO can fine organisations up to £500k for serious data breaches, although the highest to date has been £130,000.

The bottom line is that these changes mean any breach will have a financial impact on the organisation to some degree – whether directly through fines, or indirectly through incurred costs, brand damage, share price erosion, the list goes on, making containment crucial.

But, these changes will affect all companies that work in the European Union. Organisations headquartered outside the EU, but operating within it, won’t be able to slip the net as they too will be subject to these new rules, as well as organisations that sell customer data to third parties.

What next?

The European Commission hasn’t actually announced the changes to date, and even when they do they will need to be sanctioned by national governments, so nothing will change overnight. Rather than wait, organisations should act now and implement the necessary culture change which will take time.

Organisations should review and, where appropriate, strengthen data protection and IT security policies and procedures, so everyone knows and understands their personal responsibility for data protection.

Embedding an automated policy management solution into an organisation is a viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.

The ICO’s current recommendation is to use approved encryption software designed to guard against the compromise of information.

Businesses will need to start organising themselves to consider the financial ramifications of having weak data security. But, they must not forget to also protect themselves by implementing procedures so that if a breach occurs they do not fall foul of incoming EU legislation.

Grant Taylor is a UK VP at Cryptzone

Related reading