HERALDED as the first significant update of data protection legislation since 1995, and some would argue well overdue, the New Year is expected to bring sweeping reform to the European Commission’s pan-European data protection legislation.
It will depend where in the organisation you sit as to which of the three expected changes to the legislation will cause the most pain.
The most significant anticipated difference is that organisations will have just 24 hours to notify their respective supervisory authority of a breach – in the UK this would be the Information Commissioner’s Office (ICO) and, at present, is not actually compulsory.
If the data breach is likely to adversely affect the protection of the personal data or privacy of the people concerned, then the organisation must also inform them within the same timeframe. Again, this is currently not compulsory in the UK.
Thirdly the penalties for severe failures in data protection could rise to 5% of the company’s global annual turnover for serious failures and will surely focus minds when IT security budgets are next discussed. In the UK the ICO has the ability to fine organisations up to £500,000k for serious data breaches, although the highest to date has been £130,000.
However, the bottom line is any breach will have a financial impact on the organisation to some degree – whether directly through fines, or indirectly through incurred costs, brand damage, share price erosion, the list goes on, making containment crucial.
Organisations headquartered outside the EU, but operating within its jurisdiction, won’t be able to slip the net as they too will be subject to these new rules. As will organisations that sell customer data to third parties without authorisation.
The European Commission hasn’t actually announced the changes to date, and even when they do they will need to be sanctioned by national governments, so nothing will change overnight. But they will. Rather than wait, organisations should act now as it takes time to plan and implement the necessary culture change.
Organisations should review and, where appropriate, strengthen data protection and IT security policies and procedures, so everyone knows and understands their personal responsibility for data protection.
Embedding an automated policy management solution into an organisation is a viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.
While implementing encryption technology is unlikely to exempt organisations from breach notification, it will certainly appease the ICO. Its current recommendation is to use approved encryption software designed to guard against the compromise of information.
With a time limit to consider data breach identification, notification and incident procedures will become crucial in minimising the impact of a breach, both in terms of reputation and imposed penalties, if an organisation falls foul of the EU data protection legislation.
Grant Taylor is a UK VP at Cryptzone
Welcome to our new video series, where we ask top-hitting financial directors and CFOs the big questions on the year ahead. This week: Andrew Bonfield, CFO of the National Grid and chair of The 100 Group, discusses cyber risk
David Williams, CFO of Tungsten Network, outlines what CFOs need to know about digital disruption, and how they can outwit the robots
The latest trends in B2B payments indicate that cheques still dominate the market. But technology continues to march forward and new B2B ... read more
No organisation, regardless of market cap, is immune from hacks. Expert, Paul Holland, explains how to take action before it happens