Security Think Tank: How to prepare for EU data protection rules (part 6)

With the new EU Directives for Data Protection knocking on the door of organisations, it is time to wake up and prepare for the data privacy law changes

With the rapid evolution of technology and spiralling growth of data breaches in the world, the rules of the game need to be modified at a constant pace to keep up to speed.

With the new EU Directives for Data Protection knocking on the door of organisations, it is time to wake up and prepare for this change at the earliest opportunity. UK companies can no longer exist as isolated islands of personal and personal sensitive information without exchanging it with their customers, dealers and employees based in other geographical locations across EU.

Hence, they have little choice than to adapt to the changing winds. Key steps to bear in mind:

Prepare for the worst

Businesses must ensure that they comply with data protection principles – or now risk a fine. Businesses may be fined 2% of turnover for serious data breaches under tough new data-protection rules proposed by the European Commission for serious contraventions of the Data Protection Act.

The first monetary penalties for serious breaches of the Data Protection Act were issued by the Information Commissioner of up to £100,000 to Hertfordshire County Council and rising. Penalties send a strong message to all organisations handling personal information. This could not only harm financially but do substantial harm to individuals and the reputation of businesses.

Single point of contact

National data authorities will become the primary point of contact for companies dealing with Europe-wide data questions and the legislation aims to provide a single set of rules for data protection across Europe. Rationalisation of data-protection administration, such as notification requirements across Europe, should save companies millions of revenue.

Also, all organisations with over 250 employees will have to employ a data-protection officer (DPO) under the new guidelines. It should be the primary responsibility of the DPO to inform national data-protection authorities within 24 hours of serious exposure of personal data.

Social media exposure

With the skyrocketing personal information exchange rate into social media networks such Facebook, Linked in, Twitter and Google, related risk of exposure has tripled.

Cloud computing continues to contribute to heated discussions about the actual location of private data traversing continents and its security against possible attacks. European data-protection authorities will have jurisdiction over companies active in the European market which handle Europeans' personal data abroad. With the new legislative guidelines, companies such as Facebook and Google must comply with European data protection rules.

Delete and forget

New EU directive rules will enforce a right to be forgotten, which will allow people to request their data be deleted permanently. Companies faced with a request for deletion of data will have responsibility to pass that request on to companies that have copies of that data

The right to be forgotten will definitely affect internet platforms, which tend to never forget. For example, even if data is taken down from Facebook, it hasn't gone because it's going to appear in Google or other search engines' cache.

Risk-based approach

The Information Commissioner sees compulsory auditing as a constructive process to map personal data stored in organisations with real benefits for data controllers and establish a risk-based approach. The primary objective of carrying out a compulsory audit is limited to determining the data controller’s compliance with the Act’s data protection principles. This will include the identification of weaknesses and strengths from a risk-mitigation perspective.

Richard Hollis serves on the ISACA Government and Regulatory Advocacy subcommittee (GRA)

Read more on IT suppliers