Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

The new EU data protection guidelines

Christian Toon overviews planned changes to European data protection laws and their implications for data handling and management.

In January 2012, Viviane Reding, European Commissioner for Justice, outlined plans to enhance data protection rights for individuals across Europe and increase the responsibility and accountability of organizations handling records containing the information of EU citizens. The draft guidelines reflect a growing concern about the way in which personal details are captured, handled and stored in today’s increasingly complex information age. If adopted, the new legislation would apply to all organizations that do business in Europe. Response so far has been mixed, with many businesses concerned about the cost and process implications. What do the proposals mean for your organization?

We entrust businesses and public sector organizations with our most personal data. In return, we have a right to expect that our details are treated carefully and responsibly. Yet despite the growing scrutiny from the authorities and media alike, and the subsequent increase in high-profile reporting of data breaches, organizations across Europe continue to lose, destroy by error or otherwise mishandle sensitive, personal and confidential data. EU citizens are becoming increasingly concerned about who holds what information about them and how securely this information is held – and rightly so.

Viviane Reding, European Commissioner for Justice, has decided that it is time for an overhaul of European data protection legislation. Her draft European Data Protection bill, announced in January, seeks to introduce more stringent rules and regulations that will boost protection and privacy for the individual; increase responsibility and accountability for organizations handling our data. The aim is that the rules be implemented with consistency and clarity across all European Union member states and apply also to organizations based outside Europe that do business within the community.

The new legislation will replace the EU Data Protection Directive 95/46, an important component of EU privacy and human rights law under which organizations in both the public and private sector have been operating for thirteen years.

The legislation would mean good news for organizations in a number of ways. First, it would reduce bureaucratic compliance requirements for many organizations and provide a single set of compliance laws across Europe. At the same time, it would impose a greater responsibility on organizations to protect against and acknowledge data breaches, introducing stiffer penalties for organizations that fall short of the legal requirements. This would be no bad thing. Senior management need to act to stop the flow of sensitive information that is leaking out of organizations. The right information policies and procedures need to be in place. All too often, it seems that organizations are mopping the floor after the leak. It’s about time someone got up and turned off the tap.

In particular, the draft EU proposal includes four requirements that would, if adopted, have a far-reaching impact on all organizations that do business in Europe. The first of these is the mandatory notification of breaches. This recommends that both the relevant Data Protection Authorities (DPAs) – [in the UK’s case this would be the ICO] – and all affected individuals have to be notified within 24 hours of a data security breach, including unauthorised destruction or loss. The data protection authorities must be notified even in the absence of any risk of harm to data.

This requirement raises a number of important questions including the need for data breach thresholds: does this requirement apply to the loss of a single record, for example, and would there be a longer time limit if the data breach involved the loss of millions of customer records? It also raises the question as to whether public and private sector organizations would be able and indeed willing, to self-regulate.

The second requirement would require all public sector organizations, and private sector organizations with more than 250 employees, to have a named data protection officer. This could have significant resource, training and recruitment implications for many organizations. One option could be to add the responsibility to the remit of an appropriately skilled employee.

Thirdly, the proposal opens the way for significantly increased fines. Under the draft legislation, regulatory authorities would have powers to impose fines of up 1 million Euros – or two percent of turnover for private sector organizations – for failures to comply with the regulation. That the EU is prepared to authorise this level of punishment highlights just how seriously data protection is to be taken.

Last, but not least, the draft bill seeks to give individuals the ‘right to be forgotten’. In essence, it states that individuals should have greater control over their data and be allowed to demand the removal or deletion of personal records from any organization that holds them. If adopted, this requirement would have immense resource implications for organizations and could be time-consuming and complex to implement, particularly where it relates to the fast-moving world of social media. However, the small print suggests that this right is a ‘qualified’ one.

It remains to be seen how much of the draft proposal makes it into the final legislation; but the announcement of the plans has given organizations across Europe a valuable opportunity to review and enhance their information handling policies. We must seize that opportunity. Once the new EU legislation is finalised and comes into effect, it will be too late.

Author: Christian Toon is Head of Information Security Europe, Iron Mountain.

•Date: 23rd February 2012 • Region: UK/Europe •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here