One of the key requirements from the new EU data protection legislation is for any company with more than 250 employees to appoint a data protection officer, to ensure the regulation’s rules are being enforced appropriately.
A global survey of 2,000 CIOs last year found that only half of CIOs currently sit at operational or board management level. If your CIO has little board input or budget responsibilities, now is the time to make these changes – to empower the CIO with budget responsibility and board influence.
When transferring data to third parties, which may lay outside the EU, the new legislation specifies appropriate safeguards such as standard contractual clauses concerning data processing by third parties. Given the proliferation of cloud computing, organisations should review their legal contracts with third party service providers to ensure they meet this requirement.
Cloud providers (data processors) will have legal obligations too, so that if the appropriate legal contracts are in place with their clients (data controllers) and there is a subsequent breach through their own negligence, the cloud provider will be liable for a fine. Cloud providers therefore should be doing their own risk assessments to ensure they have adequate technical, procedural and physical controls in place to safeguard data.
Now is the time to empower the CIO with budget responsibility and board influence
Phil Stewart, ISSA UK
A major change is the data breach notification requirement, as is already the case for communication service providers. Current proposals are to notify the national data protection authority within 24 hours of the data breach, as well as notifying the data subject. If appropriate technical measures are in place, such as data encryption, then the requirement to notify the data subject as well may not apply. All organisations, therefore, should be conducting their own risk assessments to identify personal data and ensure it is adequately protected.
Security Think Tank: How to prepare for EU data protection rules
Given that the new legislation is two years away, the detail may well change. Companies should stay up to date with developments as they arise. For UK-based companies, or those operating with a UK presence, the ICO website continues to be an invaluable reference point for data protection guidance.
Phil Stewart is secretary & director, communications, ISSA UK