High-speed internet, Smartphones, WI-Fi, IP-connected devices such as printers along with networks and flash storage has changed the business landscape significantly in the last 10 years. This evolution continues to alter the way we work and do business but in doing so we collect, process, store and access vast amounts of data, whether in the office or via a third party provider.
Data privacy particularly that of sensitive and private information collected while we go about our business has been under the spot-light in recent years. Major corporate hacking stories have seen customer records breached and sometimes traded on illegal markets. Whistle-blowers like Edward Snowdon have also shown how global government privacy and trust has been compromised as well as mass scale data collection of citizens simply using their phones. Finally, we have recently seen the “Google” – Right to be forgotten law passed which allows individuals the right to have certain historical information erased from internet search engine results.
The European Parliament is about to pass a new Directive on Data Privacy this summer with the aim of harmonising the various member EU laws to account for some of the changes noted above which will change the UK Data Protection Act in some quite significant ways and as business owners and executives we need to be aware of these changes.
First and foremost, in the area of penalties this revised law will have significant teeth, up to 5% of annual turnover compared with the £500k cap in place today. This change in focus is to designed to force organisations to take sufficient and reasonable steps to secure the information it uses while undergoing business. The law will also make clear that there is to be a shared liability between customers and suppliers, this move is to account for the high degree of third party suppliers such as Cloud providers. One further area under debate currently is known as Mandatory Notification which in draft form places a 24 hour obligation on our organisations to notify the Information Commissioners Office if an organisation suspects they may have been breached or caught up in a breach of a supplier. This element of the law if passed will pre-suppose that continuous self-monitoring is implemented in order to adhere to this measure.
Some of the proposed changes are going to transform our traditional views of data protection and how seriously we resource and measure our security control efforts. What are your thoughts on these proposals? Do we feel that they are too stringent, particularly the 24hour notification mandate? Do we feel that we have a threat from hackers within our organisations or do we see this as hype?