The EC, Data Protection and the Compliance ‘Balance Sheet’

Mark Rogers, COO, Logicalis, gives us his view of the European Commission’s much anticipated draft update to its Data Protection Directive.  What does it mean for businesses and how will it affect the burden of compliance?

“….the Commission released proposed draft amendments to the European data protection framework. If these remain materially intact through the legislative process, the impact on organisations both within and outside the EU will be substantial.”

Allen & Overy briefing note Radical changes to data protection legislation, January 2012

 At Davos on the 25th January, the European Commission (EC) released a much anticipated draft update to its Data Protection Directive.  Aiming to harmonise data protection regulations across EU member states, the proposed new regulations appear to give with one hand whilst taking away with the other.

On the one hand, the EC claims harmonisation will save private firms ‘£1.9bn per year’ by reducing the administrative burden associated with navigating different regulations across 27 European nations.  That is, undoubtedly, a welcome development.  However, on the other hand, the draft directive will also force companies to make very significant changes to the way they manage data privacy, detect and report data leaks, it extends the regulations’ reach beyond Europe (presumably with cloud storage in mind), and threatens severe financial penalties for any business suffering a data breach.

If the directive emerges from the legislative and adoption process unscathed then it will have organisational implications, including the need to appoint ‘Data Protection Officers’, a requirement to comprehensively document the storage and processing of data and, in some cases, the need to carry out ‘data protection impact assessments’ – a development which is broadly interpreted as relating to large-scale filing systems.

Equally, a strengthening of protection for ‘data subjects’ (i.e. individual citizens) will be welcomed, but will make managing data more costly and complex – for instance a ‘right to be forgotten’ demands that businesses remove an individual’s data from its systems if consent is withdrawn, but also take reasonable steps to ensure it is removed by any third parties with whom it was shared.  These tighter controls and their impact on businesses storing or processing data related to EU citizens (even if the business itself is not based in the EU) are explored further here (opens PDF), in a briefing note from law firm Allen & Overy.

But the aspects of the draft directive which will undoubtedly have CXOs sitting up and taking notice are those dealing with data breaches.  In short, the draft demands that any private business suffering a data breach can be fined up to 2% of annual worldwide turnover.  If that is not enough to focus the mind, then the time available to detect and report a breach surely is.  As EC Vice President, Viviane Reding put it: “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, within 24 hours."

Those measures seem explicitly designed to grab the attention of business leaders with the implicit message ‘You cannot afford to underestimate or ignore data protection’.  Perhaps more importantly, CXOs should be asking themselves a simple question “Do we have the tools required to detect and report a data breach within that timeframe?”

The answer, it seems, is a resounding ‘no’ – at least according to a report from security vendor, Trustwave.  Its of more than 300 corporate data breaches from 2011 found that just 16% of companies suffering breaches were able to detect them without outside help (from the public and regulators) – that is a long way from detecting and reporting within 24 hours.

It is clear, then, that the draft amendments to the European data protection framework present a range of significant challenges for any business, either selling products and services to EU citizens, or storing and using their data.  The good news is that there is time to address these issues – the directive will not become law until two years after adoption – so there is time to get houses in order (Personally, I’ve already been working with people from our legal, HR and technical functions to review current processes and ensure we understand how we may have to adapt in order to comply with these draft amendments).

But, whatever the final form of the directive, it will be interesting to see how the cost of compliance stacks up against those £1.9bn ‘red tape’ savings.

Over the next few weeks we’ll hear from Rodrigo Parreira, CEO of Logicalis Latin America, on the subject of video collaboration, and from Chris Gabriel, VP of Solutions Management, Logicalis Group on BYOD and innovation.

Tags Data Protection and Privacy, data protection, Data Centre, Data Centre Services