← European Data Protection Reform – How to prepare for what is coming

The GitHub attack – is the worst still to come? →

European Data Protection Reform – How to minimize impact and costs

May 21, 2014 Leave a comment

If your company touches any Europeans’ data you’d better prepare for what’s coming.

The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

How to minimize impact and costs of the new regulation

As any other companies processing personal data of European consumers, U.S. organizations should not content themselves with seeking to avoid the imposition of administrative fines. Ideally, companies should embody personal data protection and information security into their business models and processes as inherent parts of the company´s culture, products and services.

In doing so, U.S. companies can benefit from a uniform regulatory framework that saves significant costs compared to the web of 28 national data protection rules. Personal data is becoming the new currency of the information age. The EU regulation mandates the implementation of data protection “by design” and “by default”. Companies should look at this new rules as an effective way to gain consumer´s trust and to establish a competitive edge in the ever evolving internet markets. The best way to minimize the inherent costs of the new legal framework is to implement structured processes that make compliance fail-safe and that greatly reduce the need for short-lived trouble shooting and undesirable – and expensive – disclosures of data breaches.

In Snead’s views, “U.S. companies are not doing themselves any favors by ignoring this law or by ignoring the proposals”. According to Snead it is important for IT professionals to follow what is going in the EU with regard to privacy for two reasons. One is that EU is the largest non U.S. market. Sooner or later you’re likely going to have to comply with these laws. The second is that what is going on in the EU with regard to privacy is reflective of what is going on globally, including in the U.S., with regard to privacy. It reflects the fact that consumers and businesses want more control of their data. They want more certainty about what is going to happen to their data. The European Union is responding to that concern. However, It is not an EU only concern. It is a global concern. Paying attentions to what’s going on in the EU and beginning to prepare for it is going to put organizations that follow this issue ahead. “It’s going to allow them to create compliance strategies that are well thought out and implementable as opposed to compliance strategies that they have to implement 10 minutes after they get a customer.” concludes Snead.

In conclusion, Balboni observes that the “EU, U.S., Canada and numerous other jurisdictions of the Asian and Pacific Economic Cooperation (APEC) still have a number of commonalities. The bottom line is that there is a global common denominator [with regard to personal data protection]. It’s the principle of accountability. If you start implementing this principle in your organization, then you’ll be ready to transition to the new general data protection regulation in Europe.”

Previous: How to prepare for what is coming.

CREDITS

Dr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

David Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

Paolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy

Filed under Information Security Tagged with 24 hour disclosure, Andreas Leupold, Cesare Garlati, CIO, CISO, compliance, CSO, data protection, data protection officer, David Snead, directive, eu, fines, HIPAA, HITECH, law, legal, Paolo Balboni, Policy, Privacy, reform, regulation, safe harbor

About Cesare Garlati
Co-Founder, Hex Five Security, Inc. - Chief Technologist prpl Foundation

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

About Cesare Garlati

This is my personal blog about disruptive technology trends such as cyber security, open source processors, and the Internet of Things. It's full of my reasoned opinions, some of which will turn out to be absolutely wrong. You should not rely on anything in this blog for any reason other than for amusement.

This blog occasionally quotes excerpts from other publications, in which case it is done under Fair Use. I despise copyright trolls and think the EFF is due for sainthood any day now.

I am the founder of Hex Five Security and an active member of the RISC-V Foundation: some of my writing will appear here too if it's relevant. The opinions here are mine and mine alone, and are not representative of any professional organizations I belong to.

Comments are unmoderated. Say what's on your mind, be direct, speak the truth, etc., I'll try to keep all your comments ...

Happy reading!

BringYourOwnIT.com