IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

EU proposes radical data protection refresh

The EC does as expected in proposing 24-hour breach disclosure rules and heightened powers for regulators like the ICO.

"Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions."

For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction.

Even though companies such as Sony and RSA have recently been lambasted for not reporting breaches soon enough, many have suggested the rule is too strict and could result in poor reporting of incidents.

"It's not helpful to specify a strict time in the way they've done," Stewart Room, partner in Field Fisher Waterhouse's technology law group, told IT Pro. "The regime that we have for telcos and ISPs, of reporting without undue delay, would be the right regime.

"For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction. What may happen, rather than focusing totally on remedial action, the unfortunate organisation that suffers a breach is going to be focusing more on regulatory action."

Containment, mitigation and recovery should be on companies' minds after a breach occurs, Room added.

Others have suggested the 24-hour rule will lead to inaccurate reporting of data breaches, leading either to over or understated reactions.

ICO boost?

The new EU rules could favour the UK's data protection watchdog, the Information Commissioner's Office (ICO), which has been asking for greater enforcement powers, even after it was given the ability to fine companies up to 500,000.

The EC wants to "further enhance the independence and powers of national data protection authorities (DPAs) to enable them to carry out investigations, take binding decisions and impose effective and dissuasive sanctions, and oblige Member States to provide them with sufficient resources to do so."

It would like to see DPAs allowed to fine companies as much as 1 million or up to two per cent of the global annual turnover of a company.

"I would have thought all the data protection regulators are going to be made up it's like Christmas for them," Room said.

"It's very clear who the winners are - data protection regulators, data protection lawyers, data protection consultants and data protection officers. What's less clear is how do data subjects, controllers and processors win."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Podcast Transcript: What’s so hard about public sector IT?
public sector

Podcast Transcript: What’s so hard about public sector IT?

3 Dec 2021
The IT Pro Podcast: What’s so hard about public sector IT?
public sector

The IT Pro Podcast: What’s so hard about public sector IT?

3 Dec 2021
Majority of UK's top business leaders are failing to manage supply chain security risks
supply chain management (SCM)

Majority of UK's top business leaders are failing to manage supply chain security risks

16 Nov 2021
HPE inks $2 billion high-performance computing deal with the NSA
high-performance computing (HPC)

HPE inks $2 billion high-performance computing deal with the NSA

1 Sep 2021

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022