Businesses will face tough penalties for failing to secure personal data under new European legislation.
Companies could face fines of up to 2% of their turnover for breaching a proposed EU data protection law.
“It is fairly certain that penalties will increase substantially,” said Karin Retzer, partner at law firm Morrison and Foerster.
The draft data protection directive, which is due to come into force in two to five years, will impose a raft of new obligations on businesses, including a statutory requirement to report data breaches.
Tighter data protection rules
Under the proposed rules, businesses and IT service providers will be required to report any data breaches to regulators within 24 hours and to notify the public if data is at risk.
The move would act as an incentive for businesses to improve the security surrounding their data, said Retzer in an interview with Computer Weekly.
More on the proposed EU Data Protection Directive
“Already in the US, breach notification requirements work as an incentive to tighten security. In the US, the law only applies to certain types of data. In Europe, it would apply to any data,” she said.
Large businesses with more than 250 staff will be obliged to appoint a data protection officer and to conduct privacy assessments.
The directive will also apply to IT service providers, which will have new statutory duties to deploy state-of-the-art security and to inform customers about any data security breaches.
“Certainly for small service providers that would be an increased cost,” said Retzer.
Retzer advised businesses to put incident response processes in place for data breaches, and to ensure they have data protection contracts with their service providers.
“Any service provider that has access to information needs to be under a written contract. If companies engage service providers now, they should be careful they have the right to introduce new requirements,” she said.
EU draft Data Protection Directive
- Fines of up to 2% of worldwide turnover for deliberate breaches
- Almost every website accessible in the EU will be covered by the directive, even if data is processed outside the EU
- New right of individuals “to be forgotten”
- Companies must report data breaches
- Companies required to ensure their IT service providers meet the new data protection laws
- Providers of IT services will have a duty to provide state-of-the-art security
- Organisations required to carry out impact assessments before processing data
- Organisations required to demonstrate compliance to data protection, through internal codes, certification and data protection seals
- Mandatory data protection officer for organisations with 250 staff or more
- Opt-out consents no longer valid
- Most online data will be regarded as personal data subject to regulation, even if it is not used to identify specific individuals
Source: Morrison and Foerster
ICO funding could drop
Although the directive will mean more administrative work for business, it will scrap the requirement for companies to register all of their data processing operations with the Information Commissioner's Office (ICO).
This has raised concerns that funding for the UK's data protection watchdog, which receives a significant proportion of its income from registration fees, could fall significantly.
“The ICO, compared with continental regulators, is very active in providing guidance to organisations, it is involved in government consultations and offers public comments,” said Retzer. “The danger is this could go away.”
The European Council has raised concerns about the additional administrative costs that the new directive could pose for businesses, she added.
“It will be very difficult for businesses, unless some of the more administrative processes are automated,” said Retzer.
More resources from Morrison and Foerster
- Data protection masterclass: New EU data protection regulation
- Webinar: New EU data protection regulation
- Data protection masterclass: Global privacy
- Global sourcing trends in 2012