EU Data Reform Raises Global Challenges

Stronger Privacy Protections Mean More Work for CISOs
EU Data Reform Raises Global Challenges
Security and privacy officers for global organizations can expect to perform more work if proposed data security and privacy reforms introduced in the European Union Wednesday become law.

The proposed reform would update the European Union's 1995 data protection rules, aiming to alleviate costly administrative burdens, while reinforcing consumer confidence in online services and stronger requirements for organizations around data protection, including responsibility and accountability.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The good news, says Francoise Gilbert, managing director of the IT Law Group, is the proposed reform seeks to create a single law that would provide legal certainty for organizations. Chief information security and chief privacy officers in Europe now must deal with 27 different national laws, all of which are vastly different.

However, under the new requirements, which are expected to take effect by the end of 2014, organizations would be required to conduct data protection impact assessments to ensure their software applications comply with the regulation. Also, organizations must bake security into the design of their applications from the start. As a result, increased compliance requirements can be expected.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU.
  • Notification to the national supervisory authority of data breaches within 24 hours if feasible.
  • Right to data portability. People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily.
  • The "right to be forgotten," when people can delete their data if there are no legitimate grounds for retaining the information.

Preparing for Reform: Tips for U.S. Institutions

The EU rules would apply if personal data are handled abroad by companies that transact business in the EU market and offer services to EU citizens.

The proposed regulation provides a broader definition of what constitutes a data breach than U.S. law does. "Under the proposed EU regulation, the loss of any personal data would constitute a breach because the definition of 'personal data' in Europe is very broad," Gilbert says.

For global organizations, there would be additional requirements, documentation and new procedures to put in place. Gilbert warns that security and privacy practitioners who conduct business in Europe should prepare to spend more money to implement the new regulations.

The proposed regulation would require businesses operating in Europe to write formal information security policies. "Companies should remember that this is an important document and it takes time to create a security policy that is adapted to the actual needs of the company and the risk to which its data are exposed," Gilbert says.

The proposed data protection reform also would enforce higher penalties. The highest fine in the proposal is 1 million euros (about $1.3 million) or up to 2 percent of a company's global annual revenue.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.