Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

European Commission publishes new data protection proposals

The European Commission has released details of its proposed changes to European Union data protection laws. These will update the existing data protection rules, which have been in place since 1995.

Key changes proposed by the European Commission include:

  • A single set of rules on data protection, valid across the EU.
  • ‘Unnecessary administrative requirements’ will be removed.
  • Increased responsibility and accountability for those processing personal data. For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organizations will only have to deal with a single national data protection authority in the EU country where they have their main establishment.
  • Wherever consent is required for data to be processed, permission must be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability).
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2 percent of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission's proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

More details.

Comments on the proposed changes:

Paul Davis, director of European Operations at FireEye:
It’s all well and good to legislate that companies must notify the public and the authorities within 24 hours or face a fine of 2 percent of their global revenue, but the elephant in the room is that most companies are unable to detect external targeted attacks leading to data loss. The protection of information is critical to business and the establishment of trust with customers and the notification of data breaches is important, but detection and blocking of exploits should take precedence. An organization has to be aware of an attack and they can't report a data breach they have no knowledge of: that’s the real issue facing businesses today. Just because they can't see an attack or are unaware of the subsequent loss of data doesn’t mean it isn't happening. Reporting within 24 hours of discovery is admirable but if the company wasn't aware of the breach for 24 days then where do all involved stand? A greater emphasis on detection and blocking is required: it’s better for businesses and ultimately the customer.”

Rob Rachwald, director of Security Strategy at Imperva:
The new EU privacy law takes a good step forward for privacy. The ability to control and even delete individual data profiles is a needed move. However, the proposal doesn’t do enough to protect data. Since it mainly proposes fines, it will not help keep EU citizen data safe from hackers or insiders. Such approaches have not met with great success in the past. Rather, the EU should put in place fines coupled with a more prescriptive approach, identifying specific actions firms should take to protect data. The payment card industry, PCI, adopted this approach and has managed to lock down data better than any regulation in existence today.

Andre Stewart, president international, Corero Network Security:
Personal data is not just about who you are, it's where you go and what you do. Our cyber lives are now so intimately linked to our actual existence that the value of this information is immense. Facebook identities in the criminal cyber bazaar are now more valuable than credit card particulars. There is no recourse for the individual whose personal data is stolen and therefore the obligation to safeguard confidentiality must be made explicit, and accountability spelled out. The new data breach laws try to do just that – prescribe and homogenise the rules across the EU with the stated aim of encouraging business growth as well. The question remains whether the law will tread the fine line between achievable data protection and compliance requirements. The new rules say personal data is valuable. Safeguard it. Make someone in your organization responsible for protecting it. And if you don’t comply you’ll pay because not only can you get hacked: you will get fined.

Christian Toon, head of information security for Iron Mountain Europe:
Many businesses of all sizes are falling short of what is required to manage information responsibly. In today’s increasingly scrutinised business environment, the lack of a solid and legally compliant information management policy is inexcusable. Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation. Organizations unsure of where to start should look at the ISO 27002 recommendations.

Make a comment

•Date: 25th January 2012 • Europe / UK •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here