Thursday, 3 December 2015

Proposed EU Data Protection regulations grow some serious teeth in the Digital Age

It is amazing what people will do to get noticed as this young lady in Thailand demonstrates. At the other end of the scale the smooth law makers within the EU gently slide obligations towards us almost unnoticed.

The Digital Single Market and the associated Data Protection regulations are scheduled to come into force in December 2017 and bring with them a very different regime for managing personal data. Within the UK the Data Protection Act 1998 requires six core principles to be followed. One of these principles is that personal data is kept safe and secure.

The maximum fine under the DPA is £500,000 and therefore while this is a substantial sum it is possibly less than the cost of required data security for a large organisation such as Talk Talk (just for example).

Under the proposed new regime fines can be between 2% and 5% of turnover up to a maximum of £100 million. Using Talk Talk as an example with a turnover of £1.8 billion the maximum theoretical liability would be £90 million. Possibly worth addressing the SQL injection issues then ?

The guiding principle under the proposed new regime looks to be that companies or individuals handling personal data (which is pretty much anything) need to meet "reasonable expectations of data privacy" and liability follows if they do not.

The suggestion is made that encryption is one potential way to meet this requirement but this is not a given. If an encryption system is found to be flawed or have a back door it presumably does not meet this threshold ? Implementing one encryption system is tricky enough but having to change systems in a hurry is breakdown material if encryption is cracked.

Another aspect to the proposed legislation is the right to erasure. This immediately brings to mind the popular club music duo of Andy Bell and Vince Clarke but this was probably not the aim of the law makers involved. The serious point is that information will need to be actively managed so it does not remain for ever which will impose a layer of further cost.

Massive organisations such as Banks, Telcos and ISP's who hold personal data are looking at chunky liabilities and costs as are the the service providers who manage the data.

Within the SME community this will be even more challenging as the IT systems and suppliers often fit into the cheap and cheerful category and don't have much resource to direct at IP and Cyber protection and data management.

For about 15 years there has been a relaxed attitude to IP protection in the Digital Age but post Snowden, Sony Pictures and TalkTalk this is drawing to a close and regulation (with cost) is on its way.

No comments:

Post a Comment