Europe's proposed new data laws called a burden on business

The right to be forgotten and mandatory data breach notification cause the most concern

Europe's proposed new laws on data protection are burdensome and expensive, but may give companies incentive to put more measures in place to secure data, according to representatives of business interests.

The mandatory notification of data breaches "as soon as possible" normally within 24 hours has caused the most concern. But other elements of the European Commission's proposed reform of the Data Protection Directive has alarmed many in industry.

Under the proposed law companies would be obliged to inform both the relevant Data Protection Authorities (DPAs) and all affected individuals of any data security breach, including unauthorized destruction or loss.

Organizations that fail to issue notifications about a personal data breach in a timely or complete fashion to the supervisory authority will face fines of up to 2 percent of their current revenues. Mark Fullbrook, director of IT security company Cyber-Ark, questioned the reason for a time limit: "If the goal of this law is to provide consumers with upfront information about the security of their information, then a 24-hour notification period is hardly going to enable that. If you look at any of the serious breaches that have occurred over the last year, not one of the affected organizations was able to articulate the true extent of the breach within a day."

"I remain unconvinced that legislating around the disclosure of breaches actually provides any real incentive for organizations to employ best practices when it comes to data security. Let's face it, imposing a fine or a time limit is just like putting a plaster over a gaping wound -- it only goes so far," he added.

Many security firms however were quick to see the business advantage in helping companies meet these new requirements. "The most effective way to identify exactly what data has been compromised, and thus generate accurate breach notifications within 24 hours, is by deploying centralized protective monitoring systems that automatically collect and analyze all log data generated by the IT infrastructure," said LogRythh vice president Ross Brewer.

However Brewer also warned about the danger of "over-disclosure", which, he said, is a risk as many companies don't know what information has been compromised and may be forced to issues a blanket breach notification.

But the "cost of implementing security measures to proactively protect corporate information from potential data breaches and attacks, is far less than the ultimate cost of a data breach," pointed out Aziz Maakaroun, managing partner of Outpost24 UK. "Rather than suffering from the financial and reputational damage that comes as a result of a data breach, surely it would be more beneficial for businesses to take steps to prevent data breaches from ever occurring in the first place."

Consumers' right to be forgotten also came under fire from industry. "Introduction of the so-called "right to be forgotten" goes beyond a justifiable desire to enhance individuals' ability to erase their personal data on the Internet and creates a right that will be difficult to implement and that may have a chilling effect on the use of the Internet in the E.U. The new rules for allocating responsibility between data controllers and data processors will place a heavy burden on many E.U. companies to revise their contracts with non-EU service providers, a process over which they may have little control," said Wim Nauwelaerts, partner in the privacy and data security practice at Brussels law firm Hunton & Williams.

"In a further difficulty, the new regulations also require 'data portability' which means businesses risk having to transfer valuable data to their competitors if requested to do so by the individuals themselves," added Mark Owen, partner at London media law firm Harbottle & Lewis. "All this may well make it much more difficult for companies to use behavioral advertising techniques and will also place an administrative burden on insurance companies and suppliers of credit who routinely rely on statistical profiling. "

The Commission claims that the new measures will save European businesses money by unifying the bloc's 27 different national data privacy laws. "Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors -- a requirement that has led to unnecessary paperwork and costs businesses €130 million per year -- the Regulation provides for increased responsibility and accountability for those processing personal data," said the Commission.

However many companies will have to perform privacy impact assessments at a cost of around €14,000 (US$18,163). Companies with more than 250 people will also have to appoint a data protection officer.

"A big question is whether the business community will be willing or able to police itself. If it can't, businesses could find themselves exposed to regular reviews by official regulatory bodies. The definition of a 'breach' will also have to be made clear. Will it depend on the number of records or documents exposed, for example, or on the type of information leaked? Organizations should prepare for both of these options," said Christian Toon, head of information security for Iron Mountain Europe.

The incentive for companies to prepare for the new laws are increased fines based on global revenues -- up to 2 percent of worldwide revenues for the most serious infractions. Commission experts said however that the fines would be proportional to the seriousness of the offense and that smaller businesses would not be fined for a first infraction.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jennifer Baker

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?