HERALDED as the first significant update of data protection legislation since 1995, and some would argue well overdue, the New Year is expected to bring sweeping reform to the European Commission’s pan-European data protection legislation.
It will depend where in the organisation you sit as to which of the three expected changes to the legislation will cause the most pain.
The most significant anticipated difference is that organisations will have just 24 hours to notify their respective supervisory authority of a breach – in the UK this would be the Information Commissioner’s Office (ICO) and, at present, is not actually compulsory.
If the data breach is likely to adversely affect the protection of the personal data or privacy of the people concerned, then the organisation must also inform them within the same timeframe. Again, this is currently not compulsory in the UK.
Thirdly the penalties for severe failures in data protection could rise to 5% of the company’s global annual turnover for serious failures and will surely focus minds when IT security budgets are next discussed. In the UK the ICO has the ability to fine organisations up to £500,000k for serious data breaches, although the highest to date has been £130,000.
However, the bottom line is any breach will have a financial impact on the organisation to some degree – whether directly through fines, or indirectly through incurred costs, brand damage, share price erosion, the list goes on, making containment crucial.
Organisations headquartered outside the EU, but operating within its jurisdiction, won’t be able to slip the net as they too will be subject to these new rules. As will organisations that sell customer data to third parties without authorisation.
The European Commission hasn’t actually announced the changes to date, and even when they do they will need to be sanctioned by national governments, so nothing will change overnight. But they will. Rather than wait, organisations should act now as it takes time to plan and implement the necessary culture change.
Organisations should review and, where appropriate, strengthen data protection and IT security policies and procedures, so everyone knows and understands their personal responsibility for data protection.
Embedding an automated policy management solution into an organisation is a viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.
While implementing encryption technology is unlikely to exempt organisations from breach notification, it will certainly appease the ICO. Its current recommendation is to use approved encryption software designed to guard against the compromise of information.
With a time limit to consider data breach identification, notification and incident procedures will become crucial in minimising the impact of a breach, both in terms of reputation and imposed penalties, if an organisation falls foul of the EU data protection legislation.
Grant Taylor is a UK VP at Cryptzone
O2's new CFO Patricia Cobian discusses the joined-up approach required to improve digital connectivity - and its vital role in improving the UK's economic growth prospects
The emergence of the challenger banking sector and fintech in general is creating strong opportunities for accountants with retail banking skills
View our archived webinar, including Oracle and a host of ‘Fast Data’ experts, to discover how financial professionals can help create a Fast Data business
Yahoo’s data breach highlights difficulty in determining whether unauthorised access to data has occurred
Cyber risk is a dynamic threat as criminals seek more creative ways of extracting value from reputable businesses. The new wave of attackers are sophisticated and skilled, and may lie low inside a network for weeks, or months, before taking definitive actions