Data protection is a major concern for businesses of all sizes and across all sectors due to the constant risk of information security breaches. They fear the financial impact on operational budgets, the commercial costs it entails, the reputation damage it causes and the consequent liability to third parties.
The ongoing data protection reforms are intended to harmonize and strengthen the current data protection legislation across the EU member states. The new EU General Data Protection Regulation, currently being discussed within the Council of the EU, is awaited with great expectation. Just recently 16 Member States issued a joint declaration pressing the adoption of the reforms by 2015.
If this instrument will be approved in 2015, it will be in place by 2017, thus replacing the 1995 Data Protection Directive, which does no longer adequately cater for the current technological advances. As a regulation it will be directly applicable to all EU member states without a need for national implementing legislation.
For individuals, these news come as a promise that the protection of their rights will be strengthened. But the big changes ahead mean that businesses will face stricter data security requirements and additional compliance burden.
Indeed, although nothing is decided until everything is agreed, it is evident that the new EU Regulation will entail stronger restrictions on companies’ data protection policies and systems, regarding the implementation of appropriate technical and organizational measures. It thus will have major implications for all sectors (financial services, healthcare, the legal sector, manufacturing or the public sector, just to name a few) on the way data is collected, stored and accessed.
The announced reforms will, among others constraints, require businesses and organizations to gain explicit consent from individuals before processing their data, notifying them when their data is collected, and informing for what purpose it is being processed and how long it will be stored.
The conditions include as well the already famous so-called ‘right to be forgotten’, allowing individuals to demand the erasure of their data from companies’ computer systems, if there are no legitimate grounds for keeping it.
In parallel, upcoming changes include also a ‘right to data portability’, thus enabling individuals to easily transfer their personal data between service providers.
Furthermore, companies and organizations will have to report data security breaches to the national supervisory authority (the governmental body that handles data security within a member state). Similarly, users will have to be informed about any data breaches that could adversely affect them without undue delay. Businesses are, of course, worried with the eventual impact that this compulsory disclosure will have on their brand and reputation across the EU. However individuals should undoubtedly be able to take protective measures such as changing passwords if the safety of the information related to them has been compromised by a security breach.
Additionally, companies can incur in severe fines – up to 5 per cent of their global turnover – if they are found to have been negligent or abusive in protecting their data. Fines are intended to be effective, proportionate and dissuasive.
Despite the increased responsibility and accountability, businesses will be able to be free of unnecessary administrative requirements, as notifications, which will bring considerable annual savings.
According to the intended reform, a new ‘one stop shop’ regulatory regime will also be established, which would mean that businesses will have to deal with just one data protection authority (DPA) – the one based in the country of their main establishment – instead of each DPA in every EU country in which they operate.
Of course some of the proposals will undoubtedly be amended in the course of the co-legislative decision procedure, but is has already become obvious that the end-result will require businesses to adapt internal processes and technologies. The recent massive data breaches and security threats have outlined the unfortunate existing room for improvement regarding the monitoring and protection of corporate data.
So the big question to ask is: are businesses ready for the forthcoming legislation?
Though there is no need to panic, the clock is ticking, and businesses should look ahead and prepare themselves for the major shake-up requirements.
In order to move towards compliance, it is important to reflect what are the required adjustments that need to be developped internally to that end.
It will be necessary, for instance, to ensure the legitimacy of the data processed, assessing which data currently stored actually needs to be kept and analysing the legal basis according to which personal data is used. For example, if consent has to be obtained, it must be ascertained if it is adequately documented and if it is specific, informed, explicit and freely given.
It is a paramount principle to identify vulnerabilities, build protective measures and adequate safeguards to all data processing activities which will require, for instance, the restriction of access to data to some employees, anonymising and encrypting data, assigning ownership and attributing responsibilities regarding non-compliance with legislation, namely to an appointed data protection officer.
Offering adequate data security training and education to employees is also an important feature of an effective security precaution, especially regarding their obligations of confidentiality.
The development and application of adequate procedures in order to deal properly with breaches of data security, namely the implementation of an incident management and a breach notification process, will ensure that, once detected, occurrences are notified in due time to the data protection authority.
Similarly, all data processing operations should be well documented and up to date in order to be made available promptly to the data protection authority on request at any time.
Last, but not the least, as individuals will be able to demand that organizations erase records of their personal information, businesses should have in place a system of storage, classification and search which will allow effectively finding and erasing the data collected.
The bottom line is that, regardless what the final version of the upcoming regulation will be shaped like, businesses cannot ignore the EU’s data protection reforms and the challenges and opportunities which lie ahead.
Failing to be well prepared for the impending changes represents putting the whole business at risk due to the reputation damages and the financial losses associated to a potential data breach.
In this context, news of cyber-attacks, as of the most recent software bug Shellshock, might be the greatest of incentives…