Monday, 23 December 2013

How proposed EU data protection changes could impact your business in 2014

In this two-part post our Head of Information Security and Data Protection, David Rimmer, looks at the major changes proposed in the new EU Data Protection Regulations. We believe that smarter use of richer customer data is at the heart of ensuring fair treatment of consumers in financial arrears – so it’s important that businesses keep up-to-date with proposed changes to ensure that they improve the customer experience and do not breach data protection laws.

In 2014, MEPs will vote on the proposed EU Data Protection Regulation in order to make data protection legislation across the EU much stronger. What practical steps can you take to prepare?


The main benefit to UK business should be the harmonisation of data protection legislation across the EU, replacing the wildly different interpretations of the current EU Data Protection Directive currently in place in different countries. Not only should this make offshore processing, exports and expansion more straightforward, but it should place UK organisations on a level playing field with their continental counterparts in terms of the overall burden of compliance.


The main topic of discussion is undoubtedly the significant increase in potential fines. Initially proposed at the greater of either 2% of the company’s global turnover or €1m, the potential fine has skyrocketed to 5% of global turnover or €100m in the new draft. It’s worth noting that the UK Information Commissioner already has the power to fine organisations up to £500,000, but since being granted this ability in April 2010 the highest fine has been £325,000 – well below the maximum permitted under the current law. This increase is a clear attempt to make data protection and privacy a board-level issue in all organisations.

Cheap will no longer be an option

The increase in potential fines threatens to undermine the cheap and ubiquitous nature of internet-based systems – particularly when combined with another change in the proposed draft, which puts more responsibility (and culpability) on suppliers (data processors). After the regulations come into effect, free or advertising-subsidised cloud-based systems just may not be viable as providers reconsider their business models to take account of the magnitude of fine that could be received should there be a breach of security. Additionally, the geographic scope of the regulations will now expand to include any organisation offering goods or services to consumers (data subjects) in the EU. So, cloud providers, no matter where they are based, will now have to build the costs of complying with the new regulations into their cost model and operating procedures.

New roles

The draft proposal also mandates the appointment of qualified data protection officers for organisations that process more than 5,000 personal records in a year, and requires that the officer reports directly to the company board in order to provide a degree of independence. The officer must also be appointed for a four year term, though this is reduced to two years if an external organisation is used to provide consultancy support in place of an in-house expert.  There is currently no detail of the level of qualification required to fulfil this role, and places on such courses are likely to be in high demand once the requirement is clarified.

How can you prepare?

Though the Regulations are still to be approved, it seems overwhelmingly likely that the changes outlined above are going to arrive in the near future.  In order to prepare, here are some steps that your organisation can take today:
  • Understand what data you hold, where it is stored and how it is protected – ideally document this in an information asset register to allow you to maintain a list of how your data is controlled, used and shared over time
  • Include an assessment of privacy impacts and the concept of ’privacy by design’ in new projects (this will be discussed in more detail in a future post)
  • Review overall compliance with the current Data Protection Act, remembering that security is just one of the eight principles – the ICO website has a useful guide to your obligations
  • Ensure you have an adequate level of data protection expertise available to support your current operation, as well as in planning for transition to future legislative changes - ideally within your organisation to avoid an increase in demand for external consultants as the implementation timeline approaches
  • Review your reliance on free or subsidised cloud services, and ensure that any future changes to pricing based on compliance with the EU law can be built into your operating model
In my next post, I will look at the impact the remaining changes to the law (including the ‘right to be forgotten’, breach notification timelines and the introduction of a data protection certification) will have on businesses.

David Rimmer, Head of Information Security, TDX Group

1 comment:

  1. Useful stuff David, privacy and security by design delivers compliance as a BAU activity.