Data protection plans suggest big changes ahead for European businesses; the new legislation will replace the EU Data Protection Directive 95/46, an important component of EU privacy and human rights law, under which companies have been operating for 13 years. It is anticipated that the new legislation will reduce bureaucratic compliance requirements for many companies. However, it is likely to impose a greater responsibility on organisations to protect against, acknowledge and report data breaches. In addition the regulation will introduce stiffer penalties for companies that fall short of the legal requirements.
The draft EU proposal, leaked late in 2011, outlines three main requirements that would, if incorporated into the final regulation, have far-reaching impact on the way many European businesses operate. They are:
- The mandatory notification of data breaches - recommends that both the relevant Data Protection Authorities (DPAs) and all affected individuals have to be notified within 24 hours of a data security breach, including unauthorized destruction or loss. The data protection authorities must be notified even in the absence of any risk of harm to data.
- A requirement for named data protection officers - Data protection officers would be obligatory for all public sector organisations and all companies with more than 250 employees.
- Significantly increased fines - Under the proposed legislation, regulatory authorities would have powers to impose fines of up to one million Euros or, in the case of an enterprise, up to five per cent of annual worldwide revenue for failures to comply with the regulation.
IMSM delivers to organizations ISO 27001 Information and Data Security, the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.