Monday 6 February, 2012

Iron Mountain marks European Privacy and Data Protection Day with call to action: ‘Prepare today or be penalised tomorrow’

Proposals for more stringent European data protection legislation will compel businesses across Europe to bolster their information management practices, says Iron Mountain ahead of European Privacy and Data Protection Day (EPDP).

Was held this year on Friday 28 January, EPDP is aimed to raise awareness of data protection issues and recommend good practice to organisations that handle personal data on a day-to-day basis.

The new legislation will replace the EU Data Protection Directive 95/46, an important component of EU privacy and human rights law, under which companies have been operating for 13 years. It is anticipated that the new legislation will reduce bureaucratic compliance requirements for many companies. However, it is likely to impose a greater responsibility on organisations to protect against, acknowledge and report data breaches. In addition the regulation will introduce stiffer penalties for companies that fall short of the legal requirements.

Christian Toon, head of information security for Iron Mountain Europe, believes that the proposed regulation is good news in many respects for customers and should galvanise businesses to take a more critical review of their existing information management and security policies.

“Many businesses of all sizes are falling short of what is required to manage information responsibly,” says Toon. “In today’s increasingly scrutinised business environment, the lack of a solid and legally compliant information management policy is inexcusable. Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation.

Organisations unsure of where to start should look at the ISO 27002[1] recommendations.”
The draft EU proposal, leaked late last year, outlines three main requirements that would, if incorporated into the final regulation, have far-reaching impact on the way many European businesses operate. They are:

1.    The mandatory notification of data breaches. This recommends that both the relevant Data Protection Authorities (DPAs) and all affected individuals have to be notified within 24 hours of a data security breach, including unauthorised destruction or loss. The data protection authorities must be notified even in the absence of any risk of harm to data.

“A big question is whether the business community will be willing or able to police itself,” comments Toon. “If it can’t, businesses could find themselves exposed to regular reviews by official regulatory bodies. The definition of a ‘breach’ will also have to be made clear. Will it depend on the number of records or documents exposed, for example, or on the type of information leaked? Organisations should prepare for both of these options.”

2.    A requirement for named data protection officers. Data protection officers would be obligatory for all public sector organisations and all companies with more than 250 employees.
“This could incur costs that have not been accounted for, so it would be beneficial for a business to consider this before the legislation comes into effect,” advises Toon. “Having a named data protection officer is already mandatory in Germany. For many businesses, it may be possible to add a new responsibility to the remit of an appropriately skilled employee. Having a specific person to deal with data protection is good practice anyway, and businesses should not wait for official legislation to bring this into effect.”

3.    Significantly increased fines. Under the proposed legislation, regulatory authorities would have powers to impose fines of up to one million Euros or, in the case of an enterprise, up to five per cent of annual worldwide revenue for failures to comply with the regulation.

“Five per cent of worldwide turnover is a huge and potentially devastating sum for most businesses,” says Toon. “That the EU is prepared to authorise this level of punishment highlights just how serious data protection is taken. Companies needn’t be scared, just prepared. Having plans for storing and accessing records; training employees on those plans are great first steps towards doing the right thing and, maybe soon, the legal thing.”

[1] ISO 27002 is an information security standard published by the International Organization for Standardization (ISO), entitled Information technology - Security techniques - Code of practice for information security management. It provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Further information can be found at www.27000.org/iso-27002.htm