HERALDED as the first significant update of data protection legislation since 1995, and some would argue well overdue, the New Year is expected to bring sweeping reform to the European Commission’s pan-European data protection legislation.
It will depend where in the organisation you sit as to which of the three expected changes to the legislation will cause the most pain.
The most significant anticipated difference is that organisations will have just 24 hours to notify their respective supervisory authority of a breach – in the UK this would be the Information Commissioner’s Office (ICO) and, at present, is not actually compulsory.
If the data breach is likely to adversely affect the protection of the personal data or privacy of the people concerned, then the organisation must also inform them within the same timeframe. Again, this is currently not compulsory in the UK.
Thirdly the penalties for severe failures in data protection could rise to 5% of the company’s global annual turnover for serious failures and will surely focus minds when IT security budgets are next discussed. In the UK the ICO has the ability to fine organisations up to £500,000k for serious data breaches, although the highest to date has been £130,000.
However, the bottom line is any breach will have a financial impact on the organisation to some degree – whether directly through fines, or indirectly through incurred costs, brand damage, share price erosion, the list goes on, making containment crucial.
Organisations headquartered outside the EU, but operating within its jurisdiction, won’t be able to slip the net as they too will be subject to these new rules. As will organisations that sell customer data to third parties without authorisation.
The European Commission hasn’t actually announced the changes to date, and even when they do they will need to be sanctioned by national governments, so nothing will change overnight. But they will. Rather than wait, organisations should act now as it takes time to plan and implement the necessary culture change.
Organisations should review and, where appropriate, strengthen data protection and IT security policies and procedures, so everyone knows and understands their personal responsibility for data protection.
Embedding an automated policy management solution into an organisation is a viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.
While implementing encryption technology is unlikely to exempt organisations from breach notification, it will certainly appease the ICO. Its current recommendation is to use approved encryption software designed to guard against the compromise of information.
With a time limit to consider data breach identification, notification and incident procedures will become crucial in minimising the impact of a breach, both in terms of reputation and imposed penalties, if an organisation falls foul of the EU data protection legislation.
Grant Taylor is a UK VP at Cryptzone