The EU General Data Protection Regulation has been in the works since its initial draft was proposed at the start of 2012 and potentially has serious consequences for companies operating out of European member states, both on reporting data breaches and user privacy rights.
It stipulates data breach fines of up to five percent of global turnover (or €100 million) – significantly higher than the ICO in the UK is currently able to impose – as well as several privacy features too, including the right to be forgotten.
Viviane Reding, VP of the European Commission, has previously said that the EU is aiming to be a ‘one stop shop'. “We are creating one regulatory authority,” she said, some months ago.
However, despite this there have been several concerns. Privacy lawyers have accused the outgoing parliament of delaying the legislation, while there's been concern whether companies can meet the 72 hour timeline proposed to notify regulators and customers once they know they've lost data.
Worse still, a new report from Trend Micro and Vanson Bourne reveals that only half of UK businesses are aware of the forthcoming regulation, compared to 87 percent of firms in Germany and 65 percent in France.
The study – of 850 senior IT decision makers around Europe – revealed that 50 percent of the 250 British respondents were completely unaware of the impending legislation, with only 10 percent aware of what steps they needed to take to achieve compliance.
The majority of respondents – 85 percent – believe that their organisation faces ‘significant challenges' to comply with the regulation, and a quarter (25 percent) said they don't even think it's realistic to adhere to the incoming law.
Although this was largely due to a lack of employee awareness (44 percent) and restricted resources (31 percent), company structure appears to be an issue too, with nearly four in five placing responsibility on the company, and another quarter on a data protection officer – assuming they have one.
Both the study and the regulation – which was approved in March by the European Parliament– were discussed at length at a Trend Micro roundtable in London on Wednesday 23 April, with SCMagazineUK.com in attendance.
James Walker, solutions consultant at Trend Micro UK and Ireland, opened by saying that it is “noticeable the lack of knowledge on the forthcoming regulation” in his discussions with clients, and this was something that Vinod Bange, a partner at TaylorWessing, was only too keen to pick up on.
“A good collection of clients are saying ‘what are these regulations?'”, he said.
As a result, there is some exasperation over the lack of preparedness, not least because the changes are arguably an extension of existing laws already present in EU member states.
“The directive is not much further than the 1998 Data Protection Act in the UK. Data protection applies to everyone, and we've been doing it a long time,” said Mike Davis, principal analyst at MSMD Advisors, noting the earlier 1984 agreement.
“The directive is essentially best practices….don't keep data longer than you need to, build trust with clients – these are fairly basic things. It's not rocket science,” he added.
Despite the wait, Bange however sees some improvement in the way the European chambers (the Commission and Parliament) and working together, and in how the reforms are being regarded - “Some German regulators are now saying that they're quite comfortable with the regime”.
Walker sees C-level interest growing accordingly: “The new regulations suddenly make the board care,” he said.
However, while the regulators may be open to the proposed changes, businesses could still face problems, most significantly on the money to implement such changes.
Bange says that there's no obvious cost savings for companies by complying, but what with fines being so high, there is no alternative either.
“There's a clear cost for companies to put themselves in a position of compliance, but equally it costs money if you don't comply.”
Max Perkins, underwriter at specialist insurance business Beazley Group, meanwhile believes that all this development – and a lack of a concise framework from businesses – could fuel a cottage industry on data protection.
“There's going to be a cottage industry around this,” he said noting the need for legal services, a company to manage breach response and even outsourced customer services.
Data breach response
SCMagazineUK.com asked if the data breach response time, currently set at 72 hours in the proposed regulation, is achievable and this prompted something of a debate.
Trend Micro's James Walker said that companies will have no choice but to conform, while Bange said that the 72-hour time-frame is realistic. But the issue could be, as Perkins said, when does the clock start ticking.
“At what point does that clock start ticking? Is it when you suspect something has happened?” he said, further commenting that this could result in a number of ‘false positives' reported to the regulator.
The speakers further agreed that, adding to this complexity, the short time-frame could result in hasty conclusions on the cause of a data breach.
As a result, they said that companies should employ basic steps to setting up for EU Data compliance, from designating a person to look into the matter and understanding where data is stored to staff education and ensuring DLP tools are installed correctly.