The European Parliament recently voted through amended data protection proposals. These new reforms represent the EU’s first major overhaul of data protection legislation since 1995 and will bring with them significant changes to the way personal data can be used.
FREE ebook: What Is The Security Industry´s Dirty Little Secret
Once approved by the European Council, the 28 member states will have two years to become fully compliant. For many businesses, this will seem a long way off. It might be tempting to wait to make any changes until the EU legally requires that the reforms be made, but that would be a mistake.
In the wake of the widely-publicised NSA revelations around government snooping, consumers across Europe will likely welcome the greater personal protection and rights proposed by the new EU reforms as a long-overdue step in the right direction. Many businesses, however, will be challenged by the new obligations that are likely to come their way.
The new EU data protection reforms are intended to replace the current patchwork of national laws. Companies will be accountable to a single European supervisory authority rather than 28, enabling simpler, more cost-efficient business in the EU, the economic benefits of which are estimated at €2.3 billion per year.
The draft requirements directly address issues such as customer consent and the need to notify regulators of a data breach within 24 hours. Many firms currently invest more resources dealing with the fallout and investigations of data loss rather than on adequately protecting against such incidents in the first place.
This needs to change, and the reforms are looking to address this shortcoming. Otherwise, the failure to sufficiently protect data would have serious financial consequences, including fines of up to five per cent of a private sector organisation’s turnover in the event of an incident.
However, financial penalties for data breaches have been in place for some time and have apparently done little to encourage increased responsibility in the management and protection of sensitive information. Businesses would do well to act now and institute measures that better protect their information, regardless of the threat of incoming legislation.
It is up to businesses to scrutinise, mitigate and manage their own information risk supply chain, as part of a Corporate Information Responsibility (CIR) programme.
Examples of good practice are already in place. In Germany, for example, organisations are already obliged to make a member of their staffs responsible for data protection and ensure compliance in line with national laws. The biggest challenge for the EU will be to get all countries to match this standard. Meeting new requirements will involve taking stock of current practices and ensuring processes and policies are up to scratch. Waiting until the legislation is passed could be too late for many. For example, processes for identifying and reporting an incident need to be efficient, while those used for the monitoring of data integrity must become common practice. This has grown more complex with the prevalence of social media and mobile devices. Consequently, there is a greater requirement for firms to understand exactly what information they hold in physical and digital formats and where that information is being held.
A data breach does not just represent a financial risk; it represents a serious threat to brand reputation and customer loyalty. With social media on the rise, bad news travels faster and further than ever. Even the smallest incident could have serious consequences for the future of an organisation if they are found to be at fault.
Every organisation should give serious consideration to its role as the responsible custodian of sensitive information. Businesses across Europe would be advised to realize their vulnerabilities and seize the opportunity of the impending regulatory changes to assess whether they have the right processes and policies in place.
By Christian Toon, Head of Information Risk, Europe, Iron Mountain
About Iron Mountain
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.