EU Data Reform Raises Global ChallengesStronger Privacy Protections Mean More Work for CISOs
The proposed reform would update the European Union's 1995 data protection rules, aiming to alleviate costly administrative burdens, while reinforcing consumer confidence in online services and stronger requirements for organizations around data protection, including responsibility and accountability.
The good news, says Francoise Gilbert, managing director of the IT Law Group, is the proposed reform seeks to create a single law that would provide legal certainty for organizations. Chief information security and chief privacy officers in Europe now must deal with 27 different national laws, all of which are vastly different.
However, under the new requirements, which are expected to take effect by the end of 2014, organizations would be required to conduct data protection impact assessments to ensure their software applications comply with the regulation. Also, organizations must bake security into the design of their applications from the start. As a result, increased compliance requirements can be expected.
Key changes in the reform include:
- A single set of rules on data protection, valid across the EU.
- Notification to the national supervisory authority of data breaches within 24 hours if feasible.
- Right to data portability. People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily.
- The "right to be forgotten," when people can delete their data if there are no legitimate grounds for retaining the information.
Preparing for Reform: Tips for U.S. Institutions
The EU rules would apply if personal data are handled abroad by companies that transact business in the EU market and offer services to EU citizens.
The proposed regulation provides a broader definition of what constitutes a data breach than U.S. law does. "Under the proposed EU regulation, the loss of any personal data would constitute a breach because the definition of 'personal data' in Europe is very broad," Gilbert says.
For global organizations, there would be additional requirements, documentation and new procedures to put in place. Gilbert warns that security and privacy practitioners who conduct business in Europe should prepare to spend more money to implement the new regulations.
The proposed regulation would require businesses operating in Europe to write formal information security policies. "Companies should remember that this is an important document and it takes time to create a security policy that is adapted to the actual needs of the company and the risk to which its data are exposed," Gilbert says.
The proposed data protection reform also would enforce higher penalties. The highest fine in the proposal is 1 million euros (about $1.3 million) or up to 2 percent of a company's global annual revenue.