European data protection regulations are about to get a whole lot tougher. The EU’s first update to the laws governing privacy since the 1990s will see a new definition of what personal data encompasses, as well as far more stringent enforcement.
Previously, the regulations only acted as guidance to companies, and punishments were little more than a slap on the wrist. Now, however, the regulations are expected to be passed into law, and the EU will have the power to levy fines of up to 5% of global annual revenues.
With the laws expected to be made official by the end of 2014, CBR attended a recent roundtable held by security firm Trend Micro to see what the consequences will be for your business.
A recent survey conducted by the company found that of 250 British IT decision makers, just half were aware of the upcoming changes, and just 10% knew what steps would lead to compliance.
A quarter didn’t believe it is even possible to adhere to the rules, and another 25% didn’t even think that fines existed – despite the potential for up to €100m penalties being handed down from the EU.
James Walker, Trend Micro security expert, says: "There’s a huge lack of understanding what the regulations are and what impact it’ll start to have on organisations financially. [They don’t know] what they need to do, what changes will happen in their organisation, and among their people, process and technology."
Well, hopefully we can shed a little light on it for you.
The cost of not complying
Vinod Bange, data protection specialist at law firm Taylor Wessing, explains the cost of not complying is currently outweighed by the cost of ensuring your firm adhered to the data regulations in play today. However, "those scales are going to tip the other way completely," he warns.
With non-compliance fines set at up to 5% of global annual turnover, or up to €100m, it pays to get your house in order. This particular tenet of the new regulations is designed to get the boardroom to pay attention.
Bange recommends firms concentrate on getting up to date with the current regulations, so upgrading again once the new ones are enshrined in law isn’t such a big jump.
He says: "Your current baseline up to where it should be. If you don’t it’s going to be an even bigger job."
So, exactly who’s liable?
A lot of uncertainty exists over who’s liable for a data breach when you’re using a third-party to process your data. Max Perkins, insurance data expert at Beazley, says it’s better to be safe than sorry.
"If you’re the data owner that means you have collected the information from a consumer," he claims. "Just because you have made a business decision to outsource it, you’re still the data owner. That doesn’t pass from you.
"If a regulator feels like a business is being reckless with the information that they hold and with respect to their consumers, then that regulator will be punitive and will use its power."
When should you notify the authorities after a breach?
Initially, the EU said any data breaches had to be reported to the authorities (like the Information Commissioner’s Office) within 24 hours. That’s been scratched now, in favour of the phrasing "without undue delay".
This has caused some confusion as to exactly when you should report a breach.
Perkins asks: "When does that clock start ticking? Is it when they suspect something might have happened? If so, the regulators are going to receive loads of calls. If regulators aren’t careful about that they will have more than they can handle on their desks."
Say hello to the data protection officer
This problem could be solved in part by having someone in the organisation responsible for all things data.
Perkins says: "Designating someone within the organisation to have the awareness of what’s going on and what resources the company needs is a must.
"[Say] ‘we’re going to use a dedicated breach response manager’, who will exist at some point."
This is actually something that’s covered in the new laws. Any organisation with more than 5,000 customers will have to appoint a data protection officer. However, who that person should be isn’t clear.
Getting consent
Personal data is a nebulous concept, and its definition is changing even more under the new laws.
Mike Davis, principal analyst at MSMD Advisors, says: "The biggest challenge is communicating with your customers. The real big chunk of the regulations will be moving from implicit consent to explicit consent and having to go out and tell your customers [that they now have the right] to be forgotten.
"That’s going to be a slight concern because clients won’t want to actually lose their details. Big implications are going to be awareness and telling customers."
Bange adds: "We have provisions around consent, but those provisions are going to be much tougher, and harder to meet. We have definitions of personal data right now. Those definitions are going to be broader and will capture more data."