Time to act on Corporate Data Protection*
Data breaches and security threats continue to make global news, serving as a constant reminder of the need to improve monitoring and protection of corporate data.
European businesses, as well as those operating globally in the region, face particular challenges with proposed changes to European Union (EU) Data Protection legislation for protecting personally identifiable information (PII) for EU citizens. The proposed amendments will result in stricter fines on companies that are found to be negligent with their data protection responsibilities.
The reality is that many businesses don’t know they are losing data to begin with, never mind which data is actually being lost. And, with heavier fines likely to be inflicted on companies that suffer data breaches when the new regulations are passed, there has never been a better time for businesses to get their security controls in order.
What the EU Regulation means
The proposed legislation will place stronger restrictions on companies’ data protection policies and systems, providing EU-wide regulations for data controllers and processors, and creating a central authority with a single set of rules for all EU member states. The Regulation will further empower the national Information Commissioners to tell companies they must take action on data protection.
The good news for business is that the EU Regulation proposal agreement isn’t likely to kick in until 2017 and allows for a two-year preparation period for the purpose of helping companies get better at detecting data breaches. However, companies shouldn’t make the mistake of using extra time as an opportunity to delay deployment. Simply put, this is a strategic process that requires time to get it right.
Unfortunately, companies are currently often too happy to pay fines for a data breach, rather than face the significant strategic shifts, time, resources, and funding often necessary to implement a data protection security program.
This will change dramatically if and when the EU Regulation comes in to play. Under the new proposal, data controllers and processors must notify the national authority within 72 hours of becoming aware they have suffered a PII data breach, and could be met with fines of up to five percent of their annual global revenue or €100 million if found to have been negligent in protecting their data.
Time for change
Independent global research suggests businesses are unprepared for new regulations. Only 35 percent of 5,000 IT security professionals surveyed who had suffered data breaches knew exactly what data had been stolen, while 80 percent believed their executives do not link data breaches to financial loss - a position that will have to shift swiftly.Ponemon Institutedata estimates that the average cost of an organizational data breach is $5.4 million – a figure that will only increase with the introduction of the new regulations and potential fines.
The onus is now firmly on security professionals to realign strategy, answer questions about regulation changes from the board level, and establish robust data protection policies. Failing to be prepared and ready is a sure-fire way of alienating the board while putting the business at risk of not only suffering data breaches but also incurring damaging financial and reputational losses.
* This post represents the views of the author and is for information purposes only. This article contains a general statement of the law and is no way a substitute for specific legal advice on any particular issue.
photo credit: jakerust