Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Data protection – one for all and all for one?

Joanne Rogers of CS Risk Management 2012

The proposed data protection regulation has stirred up controversy because of the implications for businesses and an increase in potential fines. An updated law that takes the increasing challenges of data security into account is long overdue but will the potential benefits of the new regulation outweigh the perceived burdens?Joanne

Back in January the general data protection regulation was announced as a replacement to the current data protection directive. The new draft law has ruffled more than a few feathers because of the implications for businesses and the increase in potential fines. Although the draft still needs to be approved, which could take up to two years, it would be sensible for businesses to consider the impact of these changes now and take steps towards ensuring future compliance.
Since the directive was introduced in 1995, there have been significant developments in the data protection landscape. The expansion of the internet, the explosion of social media, the escalation of online banking & shopping – all leading to an excess of personal information to be controlled. An updated law that takes both these changes and the challenges of data security into account is long overdue but will the potential benefits of the new regulation outweigh the perceived burdens?

Some of the key changes to consider are:

A single set of rules: One of the problems with the data protection directive was that it was not consistently implemented due to the differences in national laws across the EU member states. The regulation aims to reconcile data protection laws, applying directly to all without the requirement of a local law. These rules would also apply if personal data is handled abroad by companies active in the EU who offer their services to EU residents.

Increased responsibility & accountability for those processing or storing personal data: There will be an obligation to notify the authorities of data breaches as soon as possible, within 24 hours where feasible. The data subjects must then be informed without undue delay unless the data protection authority is satisfied that the data was protected from unauthorised access.

Increased penalties: Companies found breaching EU data protection law, whether intentionally or through negligence, could face fines of up to a maximum of 2% of their global annual turnover.

Removal of the notification requirement: The current requirement to register as a data controller (also known as notification) will be replaced with an obligation to maintain documentation of processing operations and to conduct data protection impact/risk assessments.

Cloud service stipulations: Businesses engaging with cloud service providers must ensure these providers fulfil data protection requirements. If the cloud service provider wants to retain the services of any third parties, the service provider must seek permission from its clients first.

Data subject rights: People will have easier access to their own data and will be able to transfer personal data from one service provider to another more easily. They will also have a ‘right to be forgotten’, allowing them to demand deletion of their data if there are no legitimate grounds for retaining it. Where data has been made public, all reasonable steps should be taken to inform third parties of the deletion and erase links to the data.

Explicit consent, instead of assumed permission: In cases where consent is required, permission must be explicitly requested rather than assumed. Where personal data is processed for direct marketing, the subject should also be explicitly offered the right to object.

Mandatory data protection officers: Companies who employ more than 250 people, public authorities and those whose principal activities involve regular monitoring of data subjects, will need to appoint a data protection officer with responsibility for compliance.

At first glance these changes may be a daunting prospect with potential increased workload. However even if changes are made before the legislation is approved, when considering the value of data, it is good business sense to take steps to protect it.

CS Risk Management is exhibiting at Infosecurity Europe 2013, the no. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of earl’s court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk