By Christian Toon, Head of Information Security Europe, Iron Mountain
In January, Viviane Reding, European Commissioner for Justice, outlined plans to enhance data protection rights for individuals across Europe and increase the responsibility and accountability of organisations handling records containing the information of EU citizens.
The draft guidelines reflect a growing concern about the way in which personal details are captured, handled and stored in today’s increasingly complex information age. If adopted, the new legislation would apply to all organisations that do business in Europe. Response so far has been mixed, with many businesses concerned about the cost and process implications. What do the proposals mean for your business?
We entrust businesses and public sector organisations with our most personal data. In return, we have a right to expect that our details are treated carefully and responsibly. Yet despite the growing scrutiny from the authorities and media alike, and the subsequent increase in high-profile reporting of data breaches, organisations across Europe continue to lose, destroy by error or otherwise mishandle sensitive, personal and confidential data. EU citizens are becoming increasingly concerned about who holds what information about them and how securely this information is held — and rightly so.
Viviane Reding, European Commissioner for Justice has decided that it is time for an overhaul of European data protection legislation. Her draft European Data Protection bill, announced in January, seeks to introduce more stringent rules and regulations that will boost protection and privacy for the individual; increase responsibility and accountability for organisations handling our data. The aim is that the rules be implemented with consistency and clarity across all European Union member states and apply also to organisations based outside Europe that do business within the community.
The new legislation will replace the EU Data Protection Directive 95/46, an important component of EU privacy and human rights law under which organisations in both the public and private sector have been operating for thirteen years.
The legislation would mean good news for organisations in a number of ways. First, it would reduce bureaucratic compliance requirements for many organisations and provide a single set of compliance laws across Europe. At the same time, it would impose a greater responsibility on organisations to protect against and acknowledge data breaches, introducing stiffer penalties for organisations that fall short of the legal requirements. This would be no bad thing. Senior management need to act to stop the flow of sensitive information that is leaking out of organisations. The right information policies and procedures need to be in place. All too often, it seems that organisations are mopping the floor after the leak. It’s about time someone got up and turned off the tap.
In particular, the draft EU proposal includes four requirements that would, if adopted, have a far-reaching impact on all organisations that do business in Europe. The first of these is the mandatory notification of breaches. This recommends that both the relevant Data Protection Authorities (DPAs) — [in the UK’s case this would be the ICO] — and all affected individuals have to be notified within 24 hours of a data security breach, including unauthorised destruction or loss. The data protection authorities must be notified even in the absence of any risk of harm to data.
This requirement raises a number of important questions including the need for data breach thresholds: does this requirement apply to the loss of a single record, for example, and would there be a longer time limit if the data breach involved the loss of millions of customer records? It also raises the question as to whether public and private sector organisations would be able and indeed willing, to self-regulate.
The second requirement would require all public sector organisations, and private sector organisations with more than 250 employees, to have a named data protection officer. This could have significant resource, training and recruitment implications for many organisations. One option could be to add the responsibility to the remit of an appropriately skilled employee.
Thirdly, the proposal opens the way for significantly increased fines. Under the draft legislation, regulatory authorities would have powers to impose fines of up 1 million Euros — or 2 per cent of turnover for private sector organisations — for failures to comply with the regulation. That the EU is prepared to authorise this level of punishment highlights just how serious data protection is to taken.
Last, but not least, the draft bill seeks to give individuals the ‘right to be forgotten’. In essence, it states that individuals should have greater control over their data and be allowed to demand the removal or deletion of personal records from any organisation that holds them. If adopted, this requirement would have immense resource implications for organisations and could be time-consuming and complex to implement, particularly where it relates to the fast-moving world of social media. However, the small print suggests that this right is a ‘qualified’ one.
It remains to be seen how much of the draft proposal makes it into the final legislation; but the announcement of the plans has given organisations across Europe a valuable opportunity to review and enhance their information handling policies. We must seize that opportunity. Once the new EU legislation is finalised and comes into effect, it will be too late.
Join us on