The European Commission’s proposals to alter the EU’s rules on handling information will have a big impact on UK companies’ security strategies
Europe’s current data protection regime dates from 1995, when more data was stored on microfiche than the web and e-commerce was virtually unknown. Most experts agree it’s out of date and in January the European Commission (EC) published the draft of a regulation to replace it.
Being a regulation, it will automatically become law across the EU, unlike the 1995 directive which was implemented differently by each EU member state. This alone will save businesses around €2.3 billion (£1.92 billion) a year in admin costs, the commission claims.
Good for business?
Opinions differ as to whether lobbying by business will cause the draft proposals to be toned down when passed into law or whether the hawkishly pro-consumer European Parliament will stiffen them up. But most agree that, while the detail may change, the overall direction will remain.
That direction is a good one, says David Smith, deputy information commissioner in the Information Commissioner’s Office (ICO), the UK’s data protection authority. “Much of it really is good business practice – keeping information secure, good record-keeping, telling individuals how their data will be used, and giving them the clear opportunity to object to its use for marketing and so on,” he says.
Some business organisations are more critical. The Confederation of British Industry (CBI) has slammed the proposals as expensive, confusing and anti-competitive. “We’re concerned they will put European businesses at a competitive disadvantage in a global market, by placing restrictive controls and high cost burdens on innovation and investment,” says Matthew Fell, the CBI’s director for competitive markets.
Not everyone agrees. “We welcome the new proposals because they’ll create greater transparency for consumers,” says Jeremy Henderson-Ross, EMEA legal director and general counsel at Aimia. This is a company that runs customer loyalty schemes in 20 countries, including Nectar in the UK.
Large fines possible
Perhaps the commission’s most eye-catching proposal is the extra teeth that would be given to authorities such as the ICO, with maximum fines of €1m (£830,000) or 2 per cent of global annual turnover for the most serious breaches of information security.
This should at least promote data protection on to the boardroom agenda. But in practice, says Smith, it may make little difference. “We can already levy fines of up to £500,000 and we’ve found this to be a good and strong deterrent,” he says. “
There is more concern about whether the ICO’s powers of discretion will be limited by a new regulation spanning Europe, where law enforcement often relies more on the letter of the law and less on the spirit. The draft says that penalties “shall” be imposed, rather than “may”, for example.
“We’re used to dealing with very practical and commercially-aware regulators in the UK and Ireland,” says Henderson-Ross. Coming under more European-style regulation, with more stick and less carrot, could be a shock.
Nonetheless, multinational firms may welcome the increased uniformity. Dealing with national legislation is currently a real challenge and an EU-wide regulation should help to create an environment where organisations can much more readily understand the rules and comply.
Is 24 hours enough?
The proposal that serious breaches of information security should, if possible, be notified within 24 hours has raised some eyebrows and many consider it unworkable.
“In the vast majority of cases companies don’t know within the first 24 hours what’s going on,” says Quentin Archer, partner and data protection specialist at international law firm Hogan Lovells. They may know something is amiss, but not how serious it is or whether it’s worth alarming people by telling them, he adds.
Susan Hall, a technology partner at law firm Cobbetts, believes the proposed requirement could spur organisations into creating a data breach plan similar to the disaster recovery plans that cover other kinds of emergency. “You need to have a proper procedure in place,” she says. This could include 24-hour phone numbers, a mechanism for alerting people as quickly as deemed appropriate, and even involving PR professionals.”
The role of data protection officers (DPOs) is given added prominence by the EC’s proposals. The requirement for every large organisation to employ a DPO on at least a two-year contract sounds something of an imposition (the CBI reckons it could cost up to £75,000 a year).
In practice, however, most large organisations should have one already, and the two-year minimum contract proposed is mainly designed to guarantee their independence. A more serious issue could be the imposition of a mandatory fine if a DPO fails to tick the right boxes – by not having the required qualifications, for example.
The “right to be forgotten”
The EC’s proposed “right to be forgotten” has also been much discussed. “It’s probably the main challenge posed by the new regulation and we’re still short of guidance on when it would apply,” says Neil Richardson, information systems director at contact centre company bss. “I don’t think people could always demand that their records be deleted: an obvious example is credit history.”
But the final regulation is likely to allow for “reasonable exceptions”, and the rule’s main targets are the search engines and social media sites for whom individuals’ relationships and surfing habits have become such a lucrative commodity.
“Under current data protection law we’re only allowed to keep personal data for as long as we need it, so it’s not a proposal that would necessarily concern me,” says Henderson-Ross.
What the right to be forgotten could do is make organisations rethink the kind of personal information they ask for and the way they store it. They may refrain from asking for someone’s date of birth when they buy a fridge, for example.
This is another example of the ways in which the new regulation will shine a spotlight on data protection and information security, and ultimately this may be all to the good.
“It may be like the millennium bug, where businesses had to do a thorough investigation to see if they’d be affected, but there was an unintended benefit of improving systems generally,” says Archer.
What the reforms mean
- Creation of a single law on data protection valid right across the EU.
- Strengthening of independent national data protection authorities, including the power to fine companies up to €1m (£830,000) or 2 per cent of global annual turnover.
- Organisations would have to notify their authority and individuals of serious data breaches as soon as possible – if feasible, within 24 hours.
- A “right to be forgotten” will enable individuals to have their data deleted if there are no legitimate grounds for retaining it.
- People will have easier access to their own data, and be able to transfer personal data from one service provider to another more easily (the “right to data portability”).
- Wherever consent is required for data to be processed, this must be given explicitly rather than being assumed.
- Organisations with more than 250 staff must appoint a data protection officer on at least a two-year contract.
- Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Individuals will also be able to refer to the data protection authority in their own country, even when their data is processed by a company based outside the EU.
- EU rules must apply if personal data is handled outside the EU by companies that are active in the EU market and offer their services to EU citizens.
The regulation will come into effect two years after clearing the European Parliament. However, there may be up to two years of horse-trading before this, so it may be 2016 before businesses have to comply.