Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > Data protection – one for all and all for one?

Data protection – one for all and all for one?

Published by Gbaf News

Posted on November 29, 2012

4 min read

Last updated: January 22, 2026

Joanne Rogers discussing data protection regulations and business impact - Global Banking & Finance Review — Joanne Rogers of CS Risk Management speaks on the implications of new data protection regulations for businesses, emphasizing compliance challenges and potential fines.

Joanne Rogers of CS Risk Management 2012

The proposed data protection regulation has stirred up controversy because of the implications for businesses and an increase in potential fines. An updated law that takes the increasing challenges of data security into account is long overdue but will the potential benefits of the new regulation outweigh the perceived burdens? Joanne

Back in January the general data protection regulation was announced as a replacement to the current data protection directive. The new draft law has ruffled more than a few feathers because of the implications for businesses and the increase in potential fines. Although the draft still needs to be approved, which could take up to two years, it would be sensible for businesses to consider the impact of these changes now and take steps towards ensuring future compliance.
Since the directive was introduced in 1995, there have been significant developments in the data protection landscape. The expansion of the internet, the explosion of social media, the escalation of online banking & shopping – all leading to an excess of personal information to be controlled. An updated law that takes both these changes and the challenges of data security into account is long overdue but will the potential benefits of the new regulation outweigh the perceived burdens?

Some of the key changes to consider are:

A single set of rules: One of the problems with the data protection directive was that it was not consistently implemented due to the differences in national laws across the EU member states. The regulation aims to reconcile data protection laws, applying directly to all without the requirement of a local law. These rules would also apply if personal data is handled abroad by companies active in the EU who offer their services to EU residents.

Increased responsibility & accountability for those processing or storing personal data: There will be an obligation to notify the authorities of data breaches as soon as possible, within 24 hours where feasible. The data subjects must then be informed without undue delay unless the data protection authority is satisfied that the data was protected from unauthorised access.

Increased penalties: Companies found breaching EU data protection law, whether intentionally or through negligence, could face fines of up to a maximum of 2% of their global annual turnover.

Removal of the notification requirement: The current requirement to register as a data controller (also known as notification) will be replaced with an obligation to maintain documentation of processing operations and to conduct data protection impact/risk assessments.

Cloud service stipulations: Businesses engaging with cloud service providers must ensure these providers fulfil data protection requirements. If the cloud service provider wants to retain the services of any third parties, the service provider must seek permission from its clients first.

Data subject rights: People will have easier access to their own data and will be able to transfer personal data from one service provider to another more easily. They will also have a ‘right to be forgotten’, allowing them to demand deletion of their data if there are no legitimate grounds for retaining it. Where data has been made public, all reasonable steps should be taken to inform third parties of the deletion and erase links to the data.

Explicit consent, instead of assumed permission: In cases where consent is required, permission must be explicitly requested rather than assumed. Where personal data is processed for direct marketing, the subject should also be explicitly offered the right to object.

Mandatory data protection officers: Companies who employ more than 250 people, public authorities and those whose principal activities involve regular monitoring of data subjects, will need to appoint a data protection officer with responsibility for compliance.

At first glance these changes may be a daunting prospect with potential increased workload. However even if changes are made before the legislation is approved, when considering the value of data, it is good business sense to take steps to protect it.

CS Risk Management is exhibiting at Infosecurity Europe 2013, the no. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of earl’s court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk