Privacy laws in Europe are tightening. Non-European companies that operate in the EU are currently governed only by the data protection laws of the country in which they are based, but European ministers have now agreed on reforms to the proposed Europe-wide General Data Protection Regulation (GDPR) that will make the law applicable to non-European companies that do business in the EU as well as to European companies.
This means that global corporations like Google and Facebook that hold information on European citizens will now face significant fines for failing to comply with new European data protection regulations.
In January this year Google was fined €900,000 – the maximum available penalty – for breaking Spain’s data protection rules, a fine that EU Justice Commissioner Viviane Reding dismissed as ‘pocket money’ for the Internet search giant. Google has also been fined €150,000 in France for similar offences, and is under investigation in four other European countries.
Under the GDPR, penalties of up to 5% of a company’s annual global turnover have been proposed for data breaches, which would have meant that Google would have had to pay €740 million – or $1 billion – a sum that represents rather more of a significant dent to the company coffers.
The GDPR is expected to come into force in 2016. IT Governance recommends that all companies that operate in Europe protect themselves by addressing their cyber security posture as quickly as possible.
ISO/IEC 27001 is the international Standard that sets out the best-practice requirements for an Information Security Management System, a holistic approach to information security that encompasses people, process and technology. Data breaches are becoming increasingly prevalent. If you want to protect your business’s critical assets and protect it against large-scale fines should the inevitable catch you off-guard, you need to implement an ISMS immediately. See our information pages for further guidance on ISO27001>>