With the proposed changes to the EU legislation regarding the protection of personal data, organisations need to take time to re-evaluate and assess the policies and procedures that they have in place. The reform, which includes changes to the right to be forgotten directive, sees an update to the set of rules regarding data protection and affects the way in which personal data is stored, processed and transmitted, and importantly, how breaches are penalised.
What this means for business is a review on security measures, policies and procedures for using this data, keeping it safe, identifying security breaches and detailing post-breach steps and where necessary refocusing to address the new requirements. In recent research by Kaspersky Lab it was found that a third of UK small businesses wouldn't actually know what to do if they did suffer data loss. This is particularly concerning considering new data protection laws detail financial penalties for loss of data – with fines of up to two percent of global annual turnover.
Currently, the Information Commissioners Office (ICO), whose powers have been steadily increasing, has the authority to impose fines on businesses that leak large quantities of personal information. The ICO provides basic guidelines for organisations in how they can effectively deal with information and keep it safe. However, this isn't a substitute for a proper engagement around information security with frameworks like ISO 27001. Other frameworks and best practices like that prescribed by the payment card industry specifically address types of personal information and has its own set of controls embodied in PCI-DSS regulations. The likes of VISA and MasterCard will actively recover their losses from retailers that lose data – a tangible monetary penalty per individual card that can have a devastating effect on an organisation that processes hundreds of thousands of card payments every day.
The proposed EU regulations essentially seek to standardise the areas around personal data protection with one set of laws for the region, one single supervisory authority, and one set of rules for everyone. As a business, the legislation revolves around the responsibility for the data you hold, how it's processed, and how and who can access it. This must all be defined in your policies and procedures. These need to include how you identify if you have lost data, and what plans you have in place to deal with that loss.
Of all the proposed changes, the right to be forgotten clause presents possibly the most complex challenge for business. Typically, this deals with the retention of information once there is no legitimate cause to keep it. Security of data can be considered reasonably well understood, but the management of the removal of historical data from established systems may prove more problematic. Retrofitting any functionality like this can present problems. In the business sense a lot of data needs to be retained for performance monitoring, analysis or even legal reasons, for example financial or tax information that must be retained for seven years. This means that while the data itself is must not discarded, anything identifying an individual must be made anonymous. This will have specific implications for back-ups and other archived data. It may not be feasible to access back-up information and extract those small pieces of data that need to be ‘forgotten'. For organisations such as data centre providers that don't necessarily deal in sensitive data, but provide services to and support businesses that do, the solution will come in the form of technology improvements; solutions that will shift to accommodate the demands of the new legislation and their customers need to comply.
The new regulations will not inhibit a company's ability to do business; it will just require a change in approach and adopting a solution that can be deployed to facilitate the requirements of customers.
Currently, the loss of data, such as credit card data, has tangible, financial implications for organisations. However, for the loss of personal data such as medical histories or criminal records, there is less incentive for compliance and consequences are potentially more difficult to measure. With the new regulations supported by stiff fines and increased powers for the ICO, perhaps the likelihood of future leaks will be greatly reduced.
Contributed by Fergus Kennedy, head of compliance and information systems at Pulsant