Businesses must act now to prepare for European Union (EU) data protection reforms, writes Christian Toon, head of information risk, Europe, Iron Mountain.
The European Parliament recently voted through amended data protection proposals. These new reforms represent the EU’s first major overhaul of data protection legislation since 1995 and will bring with them significant changes to the way personal data can be used. Once approved by the European Council, the 28 member states will have two years to become fully compliant. For many businesses this will seem a long way off. It can be tempting to wait to make any changes until they become a legal requirement, but that would be a mistake.
In the wake of the widely-publicised NSA revelations around government snooping, consumers across Europe will welcome the greater personal protection and rights proposed by the new EU reforms as a long-overdue step in the right direction. Many businesses, however, will be challenged by the new obligations that are likely to come their way.
The new EU data protection reforms are intended to replace the current patchwork of national laws. Companies would be accountable to a single European supervisory authority, rather than 28, enabling simpler, more cost-efficient business in the EU, the economic benefits of which are estimated at €2.3 billion per year.
The draft requirements directly address issues such as customer consent and the need to notify regulators of a data breach within 24 hours. Many firms currently invest more resources dealing with the fallout and investigations of data loss, rather than on adequately protecting it in the first place.
This needs to change and the reforms are looking to address this. Failure to protect data sufficiently will have serious financial consequences, with the potential for fines in the event of an incident of up to five per cent of a private sector organisation’s turnover.
However, financial penalties for data breaches have been in place for some time, and have apparently done little to encourage increased responsibility in the management and protection of sensitive information. Businesses would do well to act now to better protect their information, regardless of the threat of incoming legislation.
It is up to businesses to scrutinise, mitigate and manage their own information risk supply chain, as part of a Corporate Information Responsibility (CIR) programme.
Examples of good practice are already in place. In Germany, for example, organisations are already obliged to make a member of staff responsible for data protection and ensure compliance in line with national laws. The biggest challenge for the EU will be to get all countries to match this standard. Meeting new requirements will involve taking stock of current practice and ensuring processes and policies are up to scratch. Waiting until the legislation is passed could be too late for many. For example, processes for identifying and reporting an incident need to be efficient, with the monitoring of data integrity common practice. This has become more complex with the prevalence of social media and mobile devices. Consequently, there is a greater requirement for firms to understand exactly what information they hold in physical and digital formats and where that information is held.
A data breach does not just represent a financial risk, it represents a serious threat to brand reputation and customer loyalty. With social media on the rise, bad news travels faster and further than ever. Even the smallest incident could have serious consequences for the future of an organisation if they are found to be at fault.
Every organisation should give serious consideration to its role as the responsible custodian of sensitive information. Businesses across Europe would be advised to consider their exposure to information risk and seize the opportunity of the impending regulatory changes to assess whether they have the right processes and policies in place to minimise that exposure.
