A year on since the EU Commission announced proposals to revise data protection legislation, businesses are in a state of flux as they prepare for potential change.
Recent lobbying efforts from large organisations show that businesses are aware that the legislative changes will involve a significant period of adjustment to manage structured and unstructured data. However, as businesses wait for further indications as to the kinds of investments in technology, process changes or employees they will need, it is vital that organisations get to grips with the information they hold and understand how it is currently distributed so that they can be ready to meet the legislative requirements once they arrive.
In working with third parties that help to manage or store data, it's common for businesses to try to shift information risk responsibilities contractually. However, by law, organisations cannot offload this responsibility and remain accountable for how data is securely handled. It is up to them to scrutinise, mitigate and manage their own information risk supply chain, this is simply part of their corporate information responsibility (CIR).
As it stands, one of the most challenging parts of the new legislation proposals relates to the anonymity of data where businesses can de-personalise data to use freely. I agree with Javvad Malik at 451 Group, who told SC Magazine that where a bank may sell off anonymous customer data to department stores, this is hardly fair on the consumer, who is left out of the loop on how their personal data is transferred and used.
Businesses are currently too free on how they use and transfer sensitive data that has been de-personalised and shared with third parties for commercial gain. The upcoming directive should be framed so that it empowers the consumer with clarity on who owns this data and how it can be used.
Another area that has gathered concern from businesses is the 24-hour time frame in which businesses should notify regulators of a data breach. This is a huge undertaking for data controllers as it can take a while for a breach to be identified and reported internally.
The definition of a data breach in its purest form can also be disputed – what exactly is worthy of a notification to the information commissioner, rather than just being dealt with internally?
The technology is there to monitor data integrity within an organisation, but this will only become more difficult thanks to the current social media explosion, smaller mobile devices carrying more information and consumer devices becoming more regularly used for work purposes. Some businesses currently struggle to know what data they have in physical boxes, let alone knowing what exists digitally.
What strikes me most from the proposal is there will be no quick fix for organisations. A period of adjustment will be needed. I believe it will take at least six months in transition for businesses to firstly understand the data they hold, where it is and who has access to it, before building comprehensive policies to protect it in all its formats.
Business sectors such as banking and finance have potentially huge data sets, with reams of both physical and digital information to monitor, analyse and evaluate, which is a massive investment in resources, time and money. It's understandable that business leaders are cautiously waiting for the proposals to reach finality before budgeting for a cost effective solution.
The proposed new EU data protection legislation will bring significant positive changes to way organisations monitor and handle information risk issues, but it won't happen overnight. A harmonious society is possible as businesses are not working from a blank canvas.
For example, German organisations are already obliged to appoint a nominated member of staff responsible for data protection and ensuring compliance with the law. The challenge will be to get all EU countries to pull in the same direction, deploying a directive that can be consistently implemented and maintained by each member state.
What's certain is that the EU Commission will be legislating on data protection soon and it will affect all European organisations. The key to a smooth adoption lies in awareness of current inventories and preparedness for the inevitable.
Christian Toon is head of information risk and global security services at Iron Mountain