Earlier this week wording was agreed for new data protection legislation which is expected to come into force in 2 years.
Key wording is that personal data must be "processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
The agreed wording identifies the types of issues that companies might consider to meet this threshold;
1. Pseudonymisation / encryption of personal data
2. Ability to ensure ongoing confidentiality, integrity, availability and resilience
3. Data restoration post breach
4. Regular testing
The bottom line is that the profitability of data processing will drop as the costs of maintaining a secure digital environment are material and most businesses will face additional compliance costs. As a minimum companies who process personal data will require either in house or as a contractor an individual who can assess digital security risks sensibly and address problems (a data protection officer).
Amusingly the governments have secured broad exceptions to these rules even though they tend to make the greatest howlers in this area - see Edward Snowden.
On that note a clip from Catch 22...............