How proposed EU data protection changes could impact your business in 2014 – part 2

In the first instalment of this two-part update, we looked at some of the most striking changes in the proposed EU Data Protection Regulation and how these might affect UK business. The highest profile change is the increase in monetary penalties from the current £500,000 to a staggering €100m or 5% of global turnover, whichever is higher – but other changes may have a more immediate impact on your business.

The benefits of certifying your compliance
Organisations will be protected from the €100m monetary penalty in the event of a security breach (unless the breach is due to negligence) if they are audited against a new EU-sponsored data protection standard. The new standard may also provide a commercial advantage against competitors who do not hold the certification, if it becomes a trusted “kitemark” for data protection.

The scheme will also be available to non-EU companies as a method of providing a legal basis for international data sharing (or offshoring). This is particularly important as most of the current provisions for non-EU data transfers will expire either five years after the regulation comes into force (for the current “whitelist” of non-EU countries, including the USA’s Safe Harbor) or after two years (for agreements which use binding corporate rules, most commonly used by multinationals).

The right to be forgotten
Now referred to as the “right to erasure”, this provision allows individuals to request the deletion of personal data. The personal data must not be related to an ongoing transaction or contract, and must no longer be required for the original purpose of processing. You may also be obliged to delete data if you rely on the customer’s consent for processing (e.g. if no formal contract is in place, such as with free services or marketing lists) as consent can be withdrawn at any time.

Deleting all of someone’s personal data (including anything which could identify them as an individual, such as contact details down to postcode level) requires knowledge of every location where the data is stored and processed. Even organisations with mature data management processes may struggle to replicate that capability throughout their supply chain, and companies should also be aware of their contract terms with third parties.  If a supplier charges for each manual deletion of personal data, this could rapidly become an unreasonably expensive process.

Introduction of a mandatory timeline for notification of data breaches
The regulation mandates that data breaches are notified to the Information Commissioner and to data subjects “without undue delay” – an improvement on a previous draft which gave a strict 24-hour timeline for reporting. According to a leading data breach report (1), around two-thirds of breaches take months or even years to discover; having 24 hours to provide details of personal records affected by a breach, several months after the attack occurred, seems unachievable. Even just providing out-of-hours cover for security staff can lead to disproportionate additional expense.

Restricting consent
The draft EU regulation protects the customer from being forced to accept “unnecessary” processing which isn’t required by the offered service (for example where companies use personal data for  marketing or behavioural profiling in addition to providing the core service). Consent will only support the processing of personal data when it is freely given, and is for a specified core purpose.
This could also affect employers, as the draft regulation states that organisations can no longer rely on consent for processing personal data when the individual is not in a position to deny consent. The main example of this relationship is that of the employer and employee - if an employer decides to record the nature of an absence-related illness (thereby processing sensitive personal data), consent is unlikely to be seen as freely given as the employee does not have the power to refuse.

Summary
While the majority of media attention has focussed on the headline-grabbing €100m penalty for security breaches, the day-to-day impact of less dramatic changes such as the “right to be forgotten” may have a more significant long-term impact on UK businesses. Small businesses in particular may need to adopt different working practices, including increased documentation of their systems and processes, in order to avoid increased costs or reliance on third party knowledge for compliance. 

All companies can prepare for the change in legislation by:

• Avoiding complete reliance on customer consent (which can be withdrawn at any time).
• Schedule 2 of the Act contains a list of valid reasons for processing personal data.
• Implementing retention periods for data so that personal data is deleted or anonymised once it is no longer required. Not only will this minimise storage costs and reduce risk, but it will also provide an automated and repeatable process for the “right to be forgotten”.
• Putting systems in place for early detection of potential data breaches and to respond appropriately. Security incidents are increasingly a “when, not if” scenario which can be addressed in the same way as business continuity and disaster recovery.

If the regulations are delayed, which is possible due to forthcoming European elections, taking these steps (and those in the first blog post) will still improve an organisation’s resilience and may provide a competitive edge. Large organisations are increasingly focussing on managing risk throughout their supply chain and a modern business which can boast of its data management and security practices will be well equipped to win new business, and to cope with future regulatory change.

(1) – Verizon data breach report, 2013.

David Rimmer, Head of Information Security, TDX Group