Data protection experts said a draft EU regulation announced this week should reduce the cost of compliance for some companies, but warned that many still were not aware of their obligations to protect sensitive information.
Hugh Jones, a partner with data protection consultancy Sytorus, said the regulation would be "a learning curve" for many businesses which hadn't been complying to date.
“Some organisations unfortunately are starting from zero – where they should have been in 1995 or 2003 when the original directives were introduced,” he said.
The European Commission said businesses would benefit from the reformed regulation, claiming they would save up to €2.3 billion a year because the single, harmonised law will replace 28 different versions currently enacted under individual countries’ legal systems.
Mr Jones said the regulation didn’t appear to raise the cost of compliance but said the price of non-compliance was likely to increase. European regulators are to be given strong enforcement powers including fines of up to 2 per cent of an organisation’s global annual turnover. The European Parliament has even proposed raising sanctions to 5 per cent.
One-stop shop
“The cost for an organisation to be compliant will be influenced by whether they have invested in data protection over time. An organisation with a culture of compliance won’t be significantly out of pocket by stepping up,” said Mr Jones.
The regulation's proposed 'one-stop shop' means companies will only have to deal with one single supervisory authority, not 28. Information security consultant Brian Honan said this was positive for exporters selling throughout the EU.
“It reduces the effort and onus required to keep abreast of all the local implementations of existing data protection rules,” he said.
Small Firms Association director Patricia Callan welcomed amendments to the regulation as originally proposed, saying the changes would make it easier for small companies to comply. She called for an awareness programme to be launched when the regulation is formally introduced.
“There has to be a marketing campaign to educate people and tell them what the law is, such as rolling out supports at European and national level to make it easily understandable and a checklist for exactly what companies need to do. That will be what makes the regulation stick or not,” she said.
The reform is expected to be finalised later this year. Mr Honan said he did not expect the draft to change much and advised businesses to prepare in the meantime.
“Businesses should make themselves aware of what the draft proposals are, look at where they store personal data and get a good handle on where that’s processed and start putting data protection controls now, be that training, controls, or technology, to protect that data. Companies shouldn’t wait for the regulation to come into being to protect the data that they have,” he said.
Customer information
Pat Larkin
, chief executive of computer security firm Ward Solutions, said he had seen growing awareness at board level of the business risk and reputational damage posed by losing sensitive customer information. As a result, many have put in place more stringent data protection measures.
“If you’re doing the right thing by your customer first, then compliance follows. If you are purely compliance-focused, you can still take a tsunami of a data breach that will cripple your business,” he said.
While businesses get to grips with the implications, other groups are requesting exemptions. Health research bodies and data scientists have said unique data use issues that emerge in areas such as cancer research need to be treated differently.
“There can be significant discoveries that can be produced on the back of patient and research data. If one has billions of pieces of data, getting ‘re-consent’ every time you want to do something new with it can stifle the process to the point where it becomes impossible or overly costly,” said Professor Barry O’Sullivan, director of the Insight Centre for Data Analytics in Ireland.
“Of course, any exemption that’s given for research purposes must treat all patient data with due respect and concern and diligence it deserves.”