Facebook
Linkedin
Contact Us

Proposed Changes to EU Data Protection Regulation

Categories:
Published: April 29, 2015
See Our Services

EU Data Protection

EU Data Protection

The purpose of this article is not to cover the whole of the law, but to focus on the need to protect the confidentiality of data, and the IT processes and technologies which should be employed in order to satisfy this need.

 

 

 

What is happening?

For two years the EU has been working on new EU Data Protection Regulation reform proposals that will set a Union-wide framework to replace the existing patchwork of country-specific legislation. It is intended to strengthen the privacy rights of EU citizens, restore confidence in online activities and better protect customer data by requiring companies to adopt new data protection processes and controls.

Although this legislation has not yet been adopted, the European Parliament has shown strong support for it in a near unanimous vote of 621 votes in favour, 10 against, and 22 abstentions; and given the lengthy review process it has already been subject to and the political weight behind these reforms, it is likely that the future legislation will closely resemble the proposals which we see today.

As they are currently proposed, these changes will result in a single regulatory system across the EU, creating one of the world’s most comprehensive and heavily enforced data breach notification regimes, although some observers believe that the end result may end up looking like an EU directive, giving member states the discretion over how they translate the EU legislation into local laws.

 

What does the new proposal say?

Of the 91 articles in the new proposal, article 30, 31, 32 and 79 are of particular pertinence when discussing confidentiality of data with IT process and technology in mind.

 

Article 30 addresses the security of processing data:

1. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing, taking into account the results of a data protection impact assessment (pursuant to Article 33), having regard to the state of the art and the costs of their implementation.

1a. Having regard to the state of the art and the cost of implementation, such a security policy shall include:

(a) the ability to ensure that the integrity of the personal data is validated;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;

(c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident…

 

2. The measures referred to in paragraph 1 shall at least:

(a) ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;

(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure; and

(c) ensure the implementation of a security policy with respect to the processing of personal data.

 

Article 31 specifies that the company is required to immediately notify the supervisory authority in the event of a data breach; however the company may or may not be required to inform individuals whose data was breached.

 

Article 32 states;

1. When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.

2. (…)

3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access it.

 

If a company fails to do any of these things – adopt internal policies and implement appropriate measures for ensuring and demonstrating compliance, or notify the supervisory authority or the data subject of a data breach, where appropriate – then the Article 79 on Administrative sanctions stipulates that the supervisory authority can impose at least one of the following sanctions:

a) a warning in writing in the case of first and/or non-intentional non-compliance
b) regular periodic data protection audits
c) a fine up to EUR 100,000,000 or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher.

 

However, if at the time of loss the data was protected in such a way as to be unintelligible to an unauthorised party (encrypted), and the company can prove this to be the case to the supervisory authority (using encryption management software), then the company is not required to disclose the breach to the individuals whose data was lost or stolen.

 

And what does this mean to me?

Your company will be expected to implement technology and processes to protect the integrity, confidentiality, availability and resilience of personal data and of the systems processing it.

 

Integrity – this means that the data must be kept accurate and not at risk of accidental loss, corruption or unauthorised alteration.

Confidentiality – this means that the data must remain accessibly only by those with the relevant authority; and only for pre-agreed purposes.

Availability – this means that the data needs to be available to those who need it, when it is needed.

Resilience – this means that the data and the systems used to process the data must be able to withstand a certain amount of pre-empted failure without affecting the integrity, confidentiality, or availability of the data.

 

If a data breach occurs which puts the personal data at risk, your company needs to inform the regulatory body, and the data subject. This means that you are duty bound to inform your clients if your company has a breach of client data. This can put a big dent in your reputation!

In addition to your reputation problems, you can also then be subject to compulsory audits, and hefty fines.

For these reasons it is important to understand your responsibilities as a data controller/processor, and have the necessary technology and processes in place to protect yourself. This does not need to be complicated or time consuming.

 

So what do I do?

Your data protection plan will depend on the type of data you are storing and processing, and how that data is used. However there are some guidelines that can be followed by all businesses in order to help protect them and their data.

 

Encryption (probably the most important)

Using an data encryption solution (supported by the relevant processes and policies) will make sure that your data is only accessible by those with the relevant authorisation, and it will allow you to prove compliance in the event of a breach.

This is important because “if the company can prove that the data that has been breached is protected in such a way as to be unintelligible to an unauthorised party then the company is not required to disclose the breach to the individuals whose data was lost or stolen.”

This will certainly decrease your exposure and protect your reputation to some degree.

In addition, having an encryption solution in place shows that data protection is taken seriously in your company, and due diligence has been performed. This is likely to lessen the fines or sanctions imposed on your company in the event of a data breach.

 

Backup (equally important, for different reasons)

Your responsibility as a data controller/processor goes beyond keeping it away from prying eyes. You need to ensure the data is not at risk of total loss. Think of medical records, or financial records; yes you want to keep them private, but you also want to make sure they don’t get deleted by mistake or lost forever in a server crash. This is also your responsibility as a data controller/processor, for this reason your backups make up a vital part of your data protection plan.

 

Disaster Recovery

Once you have protected your data from accidental loss, deletion, alteration and unauthorised access; you can set your sights on availability and think of the time it might take you to recover from a system failure.

If time is of the essence when it comes to accessing this data then you will want to think about disaster recovery. How will your company cope if a server fails, if an internet connection fails, if the whole site loses power? What processes do you have in place to get back up and running, and how long is this going to take you?

 

In summary?

Whilst these changes are likely to have a significant impact on businesses, these guidelines should be adopted by any business handling personal data as a matter of course. Not only will this protect your business interests against the effects of data loss and theft today, but it will stand you in good stead when these reforms become legislation.

If you do not have such processes in place, and need some help working out what is the best course of action for you please give one of our consultants a call on 0845 458 0553 and we will be happy to help you.