European Data Protection Reform – The Enforced Data Privacy Officer

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The enforced Data Privacy Officer – revenue generation for lawyers?

For private legal entities, the obligation set forth in Art. 35 of the regulation to designate a Data Privacy Officer (DPO) only applies to the processing of personal data that affects large amounts of individuals (≥ 5000 data subjects in 12 months) or regular and systematic monitoring of data subjects or the processing of special categories of data, location data or children´s data in large scale filing systems. In all other cases the designation of a data protection officer is optional. Considering the ever increasing collection and processing of personal data across national borders, companies will have to acknowledge the fact that managing the duties of a data protection officer often is no longer a part time job and calls for close ties to the board of directors as well as the Chief Information Security Officer (CISO).

“It can be useful” observes Leupold. Under the current national laws in the European Union, if you have a data privacy officer you’re not so much subject to reporting duties to the supervisory authority. “You’re subject to fewer duties if you have a data privacy officer. This can be quite an advantage” continues Leupold.

What most companies might not realize is that this is not just a task that can be fulfilled along other routine activities. Following the entry into force of the regulation, it could easily become a full time job. “I know large corporations in Germany that already have data privacy officers. It is a full time job and as such it is also a cost factor” warns Leupold.

Creating a position within a company, or requiring a company to hire an individual to serve in a role of this nature, seems problematic. Creating clear, understandable, and implementable regulations may do more to ensure privacy than requiring a data privacy officer – particularly if that officer is not a company employee. Good regulations allow companies to empower employees to ensure compliance. Outside oversight is likely to be seen as a burden to overcome. Requiring small companies outside Europe to hire a lawyer or other professional to serve as a data privacy officer seems like an unworkable framework for that reason.

Balboni points out that “the current proposal states that this person should have clear knowledge of the legal aspects of data protection but also the technical aspects. We are looking at a hybrid profile. This is a professional who combines both technical and legal knowledge of data protection. Not so easy to find nowadays.”

As privacy regulations become more and more complex, especially for large multinational companies, it is unlikely that the data protection officer role will eventually be played by one single individual. Balboni foresees a team of internal and external professionals, under the supervision of the data protection officer.

There seems to be a consensus on the fact that it is important to have someone within any company who has the authority and the interest in monitoring privacy and security and in making sure that the organization is aware of these issues and it is doing what needs to be done. However, according to Snead “requiring that to be a formal role or title, doesn’t accomplish much other than make people feel good that some person in the company is called that.” In addition, small organizations might not have the ability to appoint someone for this role. And to appoint someone outside the company might not be a good idea.

To Snead “some of the proposals that I’ve read sound like really great ways for lawyers to make money and not do very much else. If you get to serve as the data privacy officer for 3,000 different companies, that really doesn’t do very much other than give a law firm money. External data privacy officers aren’t going to have any authority. It sounds like revenue generation for lawyers” observes Snead.


Next: Should you worry yet?

Previous: 24 hour disclosure or undue delay?

CREDITS

 

Andreas LeupoldDr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

 

David SneadDavid Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

 

Paolo BalboniPaolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy

 

European Data Protection Reform – 24 hour disclosure or undue delay?

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

24 hour disclosure or undue delay?

The new regulation establishes the consumer right to know when their data has been “hacked”. Companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible, if feasible within 24 hours, so that users can take appropriate measures. Read more of this post

European Data Protection Reform – The 100 Million Euro Fine

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The 100 million euro fine: outrageous sanctions set a disturbing precedent.

Under the current national European data protection laws enacted or amended in the wake of Directive 95/46/EC, administrative fines are rather limited – i.e. in Germany the maximum fine is €300,000 – and rarely imposed at all. The new regulation entails a paradigm change in that it introduces substantial sanctions for non-compliance with the new rules. Read more of this post

European Data Protection Reform – What you should know.

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

EU regulation vs. U.S. laws: a matter of cultural bias?

The consolidated version of the EU commission´s proposal for a General Data Protection Regulation following the LIBE Committee vote of October 21, 2013 differs fundamentally from the U.S. approach to the protection of personal data. “Whether one approach is better than the other, is a question of data protection culture. You might think that these are two extremes. On the one hand you have very restrictive regulation with higher fines, which are in my opinion over the top. On the other hand, there is so much leeway under the U.S. data protection laws that you can do almost anything as long as it’s not specifically prohibited.” observes Andreas Leupold, the German IT attorney recipient of the “Lawyer of The Year 2013” award who advises clients across Germany, England and the U.S.

Read more of this post

How secure is Mobile Device Management anyway?

Objective-C HookingResearchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.


As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Read more of this post

BYOD – The Benefits [VIDEO]

cesare-garlati-financial-impact-of-byod.3IT strategists and commentators alike have been talking about the cost impacts and benefits of the Consumerization of IT for years. However, no-one seems to agree on what’s actually going on out there from a financial perspective. Why? Because no one has managed to formulate an effective framework for measuring the financial impact of consumer-grade technology on the enterprise. IT managers are effectively flying blind with only a vague notion of what to measure and how to measure it.

Read more of this post

BYOD – The Hidden Costs [VIDEO]

cesare-garlati-financial-impact-of-byod.2Executives and IT leaders are struggling to understand the true costs and benefits of IT consumerization and it’s not difficult to see why. Even a cursory Google search on the subject throws up as many questions as it does conflicting answers. The reason is that no comprehensive research has been conducted into the financial impact of such programs before.

That’s why Trend Micro recently decided to take the bull by the horns and commission Forrester Consulting to conduct a rigorous, scientific study – interviewing over 200 IT leaders in the US, UK, France, and Germany. With the results we have begun to build an accurate picture for the first time of what organizations are measuring in their BYOD programs and the cost impacts, in order that IT leaders can go away and begin to formulate for themselves an effective cost benefit analysis.

Read more of this post

BYOD: You can’t manage what you don’t measure [VIDEO]

cesare-garlati-financial-impact-of-byod.1The Consumerization of IT is a trend even the most parochial IT manager has surely heard of by now. It’s sweeping through enterprises across the planet with no regard for legacy, tradition or order and can be seen as either the most exciting or terrifying thing to happen to IT in the past decade, depending on where you stand.

For many IT managers, unfortunately, the prevailing attitude is still “why should I allow it?”. They are clinging on to the old paradigm whereby IT controlled and dictated the purchasing and ongoing management of technology used by employees. This attitude just will not stand any longer – consumerization is happening, and it needs to be managed in as financially efficient a manner as possible.

Read more of this post

Webinar: The Financial Impact of BYOD.

webinar-promo-cesare-garlati-byod.1280x720.1An increasing number of organizations allow employees to use personal mobile devices to connect to corporate networks and data for work – the so-called ‘Bring Your Own Device’ phenomenon. However, a recent study by Forrester Consulting reveals that only a few companies measure and understand the actual financial impact of this new IT model and that even fewer know the true costs and benefits of Consumerization of IT.

Join us on June 27th at 11:00 PDT/2:00 EDT for a live webinar with Cesare Garlati, a sought-after expert in enterprise mobility, who will review the findings of the study and discuss:

  • Key factors that compel firms to deploy BYOD programs
  • How IT organizations measure ROI of Consumerization
  • The hidden costs of BYOD and its benefits

Cesare will explain how to develop the financial framework for your BYOD initiative so that you can unlock the full business potential of the Consumerization of IT model.

You will know the bottom line at the end of this discussion!

Video: The Dark Side of BYOD

The Dark Side of BYODThe Dark Side of BYOD: Privacy, Personal Data Loss and Device Seizure. Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences.

 

Thought leadership video taken at the SIIA event All About The Cloud 2013 in San Francisco.

Credits: Montclare – May 2013
Original video http://www.youtube.com/watch?v=DCeqAy…

This post covers the things you always wanted to know about BYOD but were too afraid to ask.

Follow

Get every new post delivered to your Inbox.