View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 3, 2014

Is your business ready for new EU data protection laws?

Guest blog by Chris O’Connell and Rory Trust of Burges Salmon.

By Cbr Rolling Blog

Changes to EU data protection legislation set to be introduced next year will see stricter requirements on companies and greater fines in relation to data breaches.

The EU data protection regulation was proposed in 2012 to harmonise data protection legislation across Europe and bring it up to speed with the age of cloud services and big data. After a record number of amendments to the draft regulation, the detail is being finalised by the Council of Ministers and looks set to be approved in 2015.

However, it appears few businesses are prepared for the changes, with one study reporting that only one percent of cloud providers meet the new requirements. While there is a two-year wait until the regulation becomes effective, and so companies would have until 2017 to adopt compliant working practices, ensuring correct procedures are in place takes time. Coupled with the increased fines and greater reach which will be available to the UK Information Commissioner’s Office (ICO), businesses should be aware of the new landscape.

How will the EU regulation affect my business?

Increased fines
One of the key differences from the current regime is that the fines for breaching data protection regulation will be increased.

While the final level of fines under the EU regulation has to be agreed, it will almost certainly be an increase on the £500,000 maximum currently available to the ICO in the UK. The European Parliament suggested the maximum be 5% of global turnover or €100 million.

Prescriptive measures
Companies will have to adopt prescriptive measures to demonstrate that they are complying with the regulation, including having policies in place, carrying out privacy impact assessments and self-auditing.

There is a strong focus on demonstrating compliance under the new regulation. This is far more onerous than the current regime, which sets out the legal requirements and leaves organisations to decide how to meet these.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
How hackers’ tactics are evolving in an increasingly complex landscape

Greater territorial scope
The current UK legislation, the Data Protection Act 1998, applies to data controllers established in the UK as well as data controllers that are not established in the European Economic Area (EEA), but which use equipment in the UK. The regulation would extend the territorial scope of EU data protection laws to:

– Data controllers or data processors established in the EU.

– The processing of personal data by a data controller established outside the EU in relation to data subjects residing in the EU where the processing relates to the offering of goods or services to data subjects in the EU, or the monitoring of the data subject’s behaviour.

The European Parliament’s proposal is that the regulation would apply to data controllers and data processors established in the EU, regardless of whether the processing is in the EU. The big change here is that for the first time the legislation will apply to organisations when acting as data processors. US based social media companies and cloud service providers are clearly in the regulator’s sights.

Damages for individuals
Under the regulation, individuals who suffer loss as a result of a breach would be able to claim damages from data controllers and data processors – not just data controllers as at present.

Is this regulation needed?

Both the UK Government and ICO agree that data protection laws need to be reformed. An ICO statement said "e-citizens currently enjoy ‘paper age’ access rights".

However, both the ICO and Government have reservations about the form and content of the regulation. The ICO feels the regulation is too prescriptive and that the two-year lead in time is unnecessary.

As the EU moves towards a common digital market, data protection harmonisation can only be beneficial for businesses and individuals. It will provide businesses with the certainty needed to operate effectively, knowing both that they are complying with legislation and can rely on assurances given by foreign partners. It also provides individuals with the means of claiming compensation when dealing with companies across Europe.

While a focus on process will force companies to examine data protection practices, it may prove to be an unnecessary burden which does not lead to fewer data breaches. One thing is clear, companies must have the correct processes in place or they will risk substantial fines in future.

Websites in our network
The New Statesman Press Gazette Spears World of Fine wine Elite Traveler Leadmonitor
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU