Rumours rife as EU gets ready to announce new data rules
Firms handling data are likely to be subjected to a considerably heightened compliance regime under new rules to be announced by the European Commission in January.
EU justice commissioner Viviane Reding has already warned that she intends to strengthen data protection in the public sector, but it now looks likely that all firms handling personal data will be subjected to extremely tough controls.
Among the measures supposedly leaked already, to among others, the Financial Times, are:
Public reporting of data breaches within 24 hours, and notification of the person whose data has been compromised;
The appointment of a chief data protection officer for public bodies, large companies and any organization handling personal data on a large scale;
The ability for the consumer to control their own persona data and impose restrictions on the use of that data by others;
Regular and systematic monitoring of all data processing operations;
Fines for businesses of up to five per cent of turnover for data breaches.
In a speech given last week to the working party drawing up the rules, EU justice commissioner Viviane Reding, said: “I intend to strengthen data protection officers in the public sector, in large companies and in companies doing risky processing….I also want to extend data breach notifications to all sectors. Data controllers will have to report security breach incidents to data protection authorities and to the individuals whose personal information has been compromised.”
No details on whether the proposals will be enshrined as legislation applicable across all EU member states, or imposed as a Directive, which can be watered down at national level. The finished document is likely to be released on Data Protection Day, 25 January.
According to Grant Taylor, Cryptzone vice president of the compliance vendor, the imposition of a 24-hour rule is something of a game changer, as it will significantly raise the bar on data security within the EU membership area, making the subject a boardroom agenda item for many more companies.
“As has been reported, in the US where data breach notification legislation is a lot more onerous than it is in Europe, the costs of remediating a breach are a lot higher. As a direct result, we have found that the issue is discussed a lot more amongst companies and, as a consequence, the profile of IT security generally seems to be far greater.
“You can see this by the higher profile that IT security vendors have in the business mainstream in the US. The good news is that, as US products and services are priced similarly to those here in Europe, the relative cost – compared to remediating a data breach – are a lot less,” he added.