Tags


Latest Posts


Latest Comments


Authors

Are you information assured? What you need to know about the new EU Data Protection Regulation

mark-hall.jpg

Posted by |

The reforms to the EU Data Protection Regulation caused a lot of noise when it was announced a couple of months ago. Principally the reform is being introduced to reflect the way data is moved and shared electronically. When the regulation was originally passed in 1995, data wasn’t typically held online so the directive didn’t incorporate it. How times have changed.

Until recently the EU had maintained that the finer details of the amendments would have been defined by the end of the year and should be in effect sometime in 2016. At the time of writing however details have not yet been finalised, and this is causing considerable hesitation and confusion within the UK industry on what companies will need to do to be compliant. In turn this is delaying companies in their preparation and it’s increasingly likely that they won’t be ready in time.

The focus of the new act has expanded significantly in the physical and logical security area and is more in line with other UK certifications/standards, such as HMG’s IA standards. In a nutshell, the proposed reforms will prevent the personal data of EU citizens and those residing in a member state from being shared with anyone else without their express consent.

The challenge is however, that nearly 75% of UK organisations(*) are not currently prepared for the new standards. Typically the board doesn’t associate data protection breaches with financial loss so it’s important that these conversations and education of senior management happen early and before the act comes into being.

What’s worth knowing however is that the new act approaches data protection differently to the existing act. This means organisations will need to adapt their approach in turn. While many large enterprises and government bodies do already have data protection processes in place, it’s the small businesses or non technical organisations that may breach the regulations without knowing.

And there’s a financial implication. Costs of implementation are expected to be significant. The creation of a Data Protection Officer role is likely within many organisations that don’t have one. Under the old act companies were able to implement a risk approach as they saw fit. In comparison under the new EU standards a formal policy, compliance procedure and control documents must be put into operation or the company risks facing a fine.

That’s not to say large organisations won’t be affected. In the past, a company’s Data Protection Officer would usually sit within the financial or legal team and would have little interaction with the ICT or information security teams. The EU act changes this and requires that operations, technical and security assurance departments are also involved with finance and legal in managing personal data.

Companies will also need to consider that the act will allow for the request and transfer of personal data (as part of an individual’s right to be forgotten). As a result this will need to be in a transferable format (e.g. social media format), which may pose a challenge for some companies in how their data is stored.

The new regulations will also provide the governing authority with significantly greater powers to impose fines. In the past organisations were more willing to accept fines for bad practice or lack of data protection. Now companies will need to notify the ICO within 72 hours of becoming aware of a data breach. If they’re found to be negligent in protecting their data they could face a fine of up to five percent of their annual worldwide turnover or €100 million – up from €500,000 previously.

What’s clear is that both companies large and small will need to have processes and controls in place to support the new standards or risk a financial penalty that could put them out of business.

(*) Source: http://www.channelweb.co.uk/crn-uk/news/2374261/it-managers-ill-prepared-for-new-eu-data-regulation

Comments

 

Post a comment

Comment submitted! Comments needs approval before being displayed.