Data protection policy: Are you ready for 2015?

By Kevin Bailey, Head of Market Strategy

EU Regulations

The coming year will see many changes in the world of cyber security and information assurance, but is your business ready? Could falling behind cost your organisation considerable money, a bad reputation and a loss of valuable data?

Everyone is seeing governments and industry bodies tightening their regulations and legislation around the control of personal information and in addition the amount of content that governments want access to as part of their security and terrorism control. Take for instance the stance taken by President Obama and David Cameron just a couple of weeks as an example. In order to stay within the ever-changing legislation, organisations need to keep abreast of changes to the law. This includes looking outside their primary industry and having an ear to the ground in any industry that is employing more 'regulators', those people who maintain the rules and penalise those that don't. This ensures your business is as clued up as possible of the potential danger points.

In Europe a real effort should be made to become familiar with the new EU Data Protection Regulation that is in the final stages of European Parliament agreement. The new regulation was originally proposed in 2012 by Viviane Reding (EU Commissioner for Justice) to replace the current EU directive and has taken three years to reach this final stage. Originally set for adoption by all 28 member states in 2015 and enforceable by 2017, differences of opinion primarily with the UK, Germany and France could delay its agreement until 2016 and enforcement in 2018. These unforeseen delays are just a bump in the road to Ms Redings objective of protecting EU citizens data, but every organisation in Europe and those that process the data (inside or outside of the 28 member states) should treat the delays as commitment from the member states to get this right and enforceable and not as a delay tactic hoping it will go away. The European Parliament vote in May 2014 ensured that this will become law, so it’s not going anywhere. Further delays in delivering this new directive increase the opportunity for EU citizen data to be open for snooping from foreign and European security services.

Part of the new directive is the need for organisations that process data relayed to 5,000 or more "data subjects" to appoint an independent Data Protection Officer (DPO) for two years. Their primary role will be to ensure that your organisation meets both regulatory as well as business compliance. These individuals will primarily come from a legal background, most probably from within the data protection arm of an existing practice, which have the knowledge to interpret and apply the relevant regulations to a specific industry or organisation, whilst having the ability to converse with and challenge the relevant data protection authority. DPOs will have direct reporting lines to senior management and the Information Commissioners Office (ICO).

So what are the consequences of avoiding these terms? The new legislation will come with harsh financial penalties for severe non-compliance, with a proposed fine of 2-5% of annual worldwide turnover or €100 million - an amount that, while deemed “effective and proportionate” could cause irreversible damage for companies of all sizes.

How can I be prepared?

  1. Get to know the legislation; what will your organisation be required to do?
  2. Create a cross functional team that brings together the data owners (business) and your data processors (IT) to ensure everyone understands their responsibilities
  3. Make sure your team know what’s expected of them, could they meet the requirements of the new laws?
  4. Get to know data; yours, 3rd parties, temporary, structured and unstructured, how will you know the weak points if you don’t know what you have?
  5. Understand what collaboration tools and devices you use to share and communicate data internally and externally
  6. Arm yourself with the right tools - will all of your data be protected with your current technology?
  7. Form a cyber security strategy, if you don’t know where to start, then contact us.