Data protection – one for all and all for one?

Joanne Rogers of CS Risk Management 2012

The proposed data protection regulation has stirred up controversy because of the implications for businesses and an increase in potential fines. An updated law that takes the increasing challenges of data security into account is long overdue but will the potential benefits of the new regulation outweigh the perceived burdens?

Back in January the general data protection regulation was announced as a replacement to the current data protection directive. The new draft law has ruffled more than a few feathers because of the implications for businesses and the increase in potential fines. Although the draft still needs to be approved, which could take up to two years, it would be sensible for businesses to consider the impact of these changes now and take steps towards ensuring future compliance.
Since the directive was introduced in 1995, there have been significant developments in the data protection landscape. The expansion of the internet, the explosion of social media, the escalation of online banking & shopping – all leading to an excess of personal information to be controlled. An updated law that takes both these changes and the challenges of data security into account is long overdue but will the potential benefits of the new regulation outweigh the perceived burdens?

Some of the key changes to consider are:

A single set of rules: One of the problems with the data protection directive was that it was not consistently implemented due to the differences in national laws across the EU member states. The regulation aims to reconcile data protection laws, applying directly to all without the requirement of a local law. These rules would also apply if personal data is handled abroad by companies active in the EU who offer their services to EU residents.

Increased responsibility & accountability for those processing or storing personal data: There will be an obligation to notify the authorities of data breaches as soon as possible, within 24 hours where feasible. The data subjects must then be informed without undue delay unless the data protection authority is satisfied that the data was protected from unauthorised access.

Increased penalties: Companies found breaching EU data protection law, whether intentionally or through negligence, could face fines of up to a maximum of 2% of their global annual turnover.

Removal of the notification requirement: The current requirement to register as a data controller (also known as notification) will be replaced with an obligation to maintain documentation of processing operations and to conduct data protection impact/risk assessments.

Cloud service stipulations: Businesses engaging with cloud service providers must ensure these providers fulfil data protection requirements. If the cloud service provider wants to retain the services of any third parties, the service provider must seek permission from its clients first.

Data subject rights: People will have easier access to their own data and will be able to transfer personal data from one service provider to another more easily. They will also have a ‘right to be forgotten’, allowing them to demand deletion of their data if there are no legitimate grounds for retaining it. Where data has been made public, all reasonable steps should be taken to inform third parties of the deletion and erase links to the data.

Explicit consent, instead of assumed permission: In cases where consent is required, permission must be explicitly requested rather than assumed. Where personal data is processed for direct marketing, the subject should also be explicitly offered the right to object.

Mandatory data protection officers: Companies who employ more than 250 people, public authorities and those whose principal activities involve regular monitoring of data subjects, will need to appoint a data protection officer with responsibility for compliance.

At first glance these changes may be a daunting prospect with potential increased workload. However even if changes are made before the legislation is approved, when considering the value of data, it is good business sense to take steps to protect it.

CS Risk Management is exhibiting at Infosecurity Europe 2013, the no. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of earl’s court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk