Are we ready for the new EU Data Protection Directive? Part 1
On the 25th of January the EU Justice Commissioner Viviane Reading proposed some changes to the 17 year old EU Data Protection Directive claiming that the new rules will both cost less for organizations and governments to administer and also improve the privacy rights of EU citizens. She also emphasized overall savings in the cost of Compliance of up the 2.3 million Euros.
The key proposed changes are:
1. Harmonization of the Directive so that one law applies to all member states
EU member states do currently comply with the 1995 Directive but each member state interprets implements and administers the directive differently. The aim of the new rules is to ensure consistency across all states in protection for individuals and their privacy and to simplify the international transfer of data beyond the EU. This will increasingly become critical with the adoption of Cloud computing and Social Networking.
2. Breach Notification Requirement that organizations notify authorities within 24 hours if feasible about a serious data breach
The data breach notification timeframes are going to be an unattainable. According to the Verizon 2011 Data Breach Investigations Report 91% of breaches led to data compromise within “days” or less and 79% of breaches took “weeks” or more to discover. Organizations that already have control and visibility into their security infrastructure and have automated reporting and incident handling will be standing on strong ground here. Further challenges are introduced with sensitive data stored in the Cloud and the growth in big data which is primarily unstructured.
3. Fines for violation of the Directive as high as 1 million Euros or 2% of the global annual turnover of a company
Tougher fines based on the annual turnover can potentially wipe out a company’s profits globally and data protection will surely now become even more of a concern for C level executives. This is going to have a huge impact on the overall compliance costs for all organizations, although it will be interesting to see how this is policed….
4. ‘Le droit a l’oubli’ or the right to be forgotten.
The idea that citizens must remain in control of their personal data and be able to remove the data if they wish to, will be challenging if not impossible. Also, how are organizations going to prove that they have implemented this? How will it be measured?
The rules will also apply to companies that process data outside of the EU if those companies serve EU member states and their respective citizens. These are all ‘proposed’ changes so it will be some time before they become law but we are all going to have to be ready…..
Look out for part 2 of my blog where I will share some best practices to get you started.
