Firms warned over new data protection rules

Facebook.com/storetec

Storetec Services Limited

@StoretecHull www.storetec.net

Companies have been warned they could face huge fines for lapses of data security under new the proposed European Union (EU) Data Protection Regulation, a lawyer has warned.

Writing for Computer Weekly, William Long – a partner at law firm Sidley Austin – said: "The proposed regulation, described as the most lobbied-against piece of European legislation, will affect virtually all industries, if adopted."

He noted the controversy has been so great that over 4,000 amendments have been proposed to the new legal framework by various European Parliament committees and industries. A number of these have been adopted by the parliament's Committee on Civil Liberties.

Discussing the implications of the legislation, Mr Long explained: "The proposed regulation will apply to European businesses that process personal data and businesses outside the EU that monitor EU citizens, or process personal data obtained from offering goods or services to EU citizens."

He added: "Dealing with international data transfers is becoming an increasingly important issue for companies as the move to centralised systems and cloud computing continues to grow."

The fining system would have an upper ceiling of €100 million (£84 million) or five per cent of turnover – a figure that may be severely damaging to financially challenged firms. "These fines will make data protection a boardroom issue and will require companies to carefully review what they need to do to comply," the legal expert noted.

Mr Long advised that this will include the need to put in place rigorous measures to ensure security policies are assessed, tested and calibrated, while companies will also need to hold detailed information on the data they hold, as well as disclose any breach to a data protection authority straight away. Under the rules, any company holding information on 5,000 or more people for a year – , or one that holds sensitive details such as health records – will need to appoint a data protection officer, although this will not have to be an employee; the role may be outsourced.

Companies concerned about what is coming may consider the option of seeking to use a secure data storage provider to keep their information safe in a remote location. This may be particularly useful for firms converting paper records to electronic form, as it will enable them to be stored more safely.

Much of the new legislation described by Mr Long concerns the rights of the individual to withhold or withdraw consent for the use of their data and, for this reason, it may be particularly appropriate for those who do hold information on individuals to review their security systems in order to make sure they come up to scratch with the new regulations. According to the lawyer, these new rules are most likely to come into force "some time in 2015", following disagreement among EU member governments over the timing of their introduction.

A couple of recent cases may provide examples where organisations could face large fines under the regulation. This week saw brand loyalty firm Loyaltybuild reveal it had been the subject of a cyber attack, which had led to the credit card details of 62,000 Supervalu customers in Ireland – 6,800 of them in the north and the rest in the Republic – being potentially compromised. In addition to this, 8,000 Axa Ireland customers may also have been affected.

In this case, the danger to a company like Loyaltybuild would centre on whether or not it had done all that was required to make its systems as safe as it could against attack. However, were the regulation in place now, the firm would at least have fulfilled its duty of immediately reporting the data breach to the relevant authorities.

Another incident recently prompted the imposition of a significant financial penalty under the laws already in place in Britain. Last month the Ministry of Justice was fined £140,000 by the Information Commissioner's Office for a serious breach of information security at Cardiff Prison.

An email had been sent to three families of inmates about visits that contained an attachment detailing sensitive information concerning over 1,000 prisoners.

Storetec News/Blogs “http://www.storetec.net/news-blog/firms-warned-over-new-data-protection-rules

”. Firms warned over new data protection rules. November 13, 2013. Storetec.