The second phase of the data retention directive will begin on Monday.
The first phase of the directive required telecommunications companies to retain fixed and mobile communications data. The second phase includes internet-related communication data, such as broadband access, internet telephony and email event data, to be retained in case it is required by law enforcement and other public authorities.
Neil Cook, head of technology services EMEA at Cloudmark, said: “Quite clearly, this new legislation opens up a whole can of worms for the ISPs when it comes to potential security implications. Considering the sheer volume of high profile security breaches hitting the headlines in the UK, the protection and storage of data is of paramount importance to an organisation.
“There is a plethora of questions that need to be considered with the introduction of this regulation, such as who has access to the data? Is that data logged? How is the data logged? What guarantees are there that data will not be retained past the 12 months? All this must be taken into consideration before any concrete strategies on the storage of this data are implemented.”
Carmen Carey, CEO of CopperEye, comments: “Communications data is a key piece of the puzzle used for investigations of serious crimes and threats to national security. It is essential that vital data is securely retained. Providers should consider that existing systems may not have the capability to comply with new legislative requirements.
“Unlike telecommunications companies that usually have extensive data management capabilities, many internet service providers are relatively small in comparison and are not able to manage the volumes of data that this directive demands.
“Therefore, they must implement a data management solution that is appropriate to their size and needs and leverage the most appropriate technology to satisfy the European Union Data Retention Directive requirements.”