The slow, stately progress of European data protection law continues: last month in Luxembourg, ministers in the Justice and Home Affairs Committee of the EU’s Council of Ministers reached partial agreement on reforms to the General Data Protection Regulation (GDPR).
(The GDPR, you’ll remember, will replace the EU Data Protection Directive with a pan-European data protection law. More details on the Data Protection Directive and the GDPR can be found here.)
The Council agreed – in principle at least – on the wording of Chapter IV of the GDPR, which includes new rules on data breach notification.
Under the proposed legislation, European organisations would have 72 hours to notify regulators of any breach of personal data that resulted in ‘physical, material or moral damage’ to individuals, as well as informing the affected individuals themselves ‘without undue delay’.
Organisations that implement ‘appropriate technological protection measures’ to protect personal data, however, would be absolved from any obligation to inform affected individuals of any breach.
A suitable response to increased data security risks?
At first this seems like something of a cop-out. If an organisation is breached, surely its information security posture is inadequate and the affected individuals ought to know about it so that they can take remedial action to prevent further damage. And isn’t it fair that the public should be made aware of all data breaches so that they can make informed decisions about the organisations to which they entrust their personal data?
Data breaches are in the news almost every day now. In the US in particular there has been a recent spate of high-profile, high-volume breaches affecting millions of individuals. If people knew of the risks they faced, would they have been more careful with their personal information? Would they have taken their business elsewhere?
Data breaches cause consumer wariness, and, as skittish customers go elsewhere, profits fall and share prices can plummet. The damage done to breached organisations – and to the wider economy – could arguably be reduced if they were allowed to deal with their problems in private.
In reality, all organisations are at risk from cyber attacks and it is only those with solid contingency plans that can mitigate the effects of a data breach. ISO 22301, the international standard for business continuity management, offers a best-practice approach to demonstrating resilience against external threats.Click here for more information >>
What do other countries do?
The EU at least is proposing a law that will cover the entire union. In the US, where breaches in recent months have potentially affected a quarter of the nation’s population, there is no federal data breach notification law. Individual states are left to enact their own legislation – and not all of them, it should be said, have done so. Some states follow similar laws to the proposed GDPR and require that affected individuals are informed of data breaches only when their personal data is unprotected; others require breached organisations to notify all breaches.
The EU is taking its time over the GDPR, and until it is enacted as a whole no part of it can truly be said to be permanent – the Council follows the principle that ‘nothing is agreed until everything is agreed’ – but one thing is for certain: if your organisation processes personal information, you will have to adhere to the law.
Simple steps to GDPR adherence
Alan Calder, founder and executive chairman of IT Governance, says that EU businesses should not wait for the GDPR before implementing appropriate data security measures.
If this proposal is formally adopted, as it looks like it will be, European organisations will be able to negate the obligation of data breach notification with appropriate information security measures – such as those based on the international standard for information security management, ISO/IEC 27001.
ISO27001 provides a holistic approach to information security that allows all organisations, whatever their size, sector or location, to follow international best practice to protect their data.