4

I'm aware of the new EU law changes regarding data protection. As a security consultant for an IT company who manages multiple other companies systems, i was hoping someone might be able to clarify a few things for me.

1) I'm aware that the new law can impose a 5% of annual turnover fine up to 5 million pounds on a company found to not be taking adequate measures to protect their data. Does this also scale for smaller businesses who hold ~100 clients? And would this fine be as severe for say a ~5 employee company who sustained a leak of information?

2) How does this scale in with a smaller companies budget, for example things like data encryption is cheap, however more comprehensive anti-malware systems and IDS/IPS systems are more expensive, how does this requirement scale for a smaller company who can't afford to spend thousands on this?

Thanks for any insights/clarification.

Umesh .A Bhat
  • 105
  • 4
IngenuIT
  • 43
  • 3
  • Where would you have suggested i put it? I wasn't entirely sure, due to it being with direct regards to information security, but also being about the law. – IngenuIT Oct 19 '15 at 12:18
  • 1
    Please when asking a legal question, clarify where you/your business is located. I assume you are in the UK? Also, it would be very useful to provide a link to a document describing the changes, since the law might change again in the future and make your question very confusing to readers. – Steve Dodier-Lazaro Oct 19 '15 at 14:21

1 Answers1

3

The data protection law requires companies to protect personal information in a reasonable secure way. The fine is scalable as it depends on the company's annual turnover. It's a bit more 'fair' than on a per-employee basis (e.g. a 5 man company can have 100k but als a 5 million euro turnover).

First of all note that this is not entirely new, so if you are suddenly thinking about data protection, you are probably not compliant with local regulations.

Data protection acts have existed for several years, the issue why a European DPL was created was mostly affecting larger companies with entities in different countries who all had their own set of laws with regard to DPP. There are more advantages for companies who were already complying. The companies who will have issues are the ones who are currently not complying with the DPL.

The advantages for companies are:

  • One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
  • One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU; and easier, swifter and more efficient for citizens to get their personal data protected.

The one thing a lot of companies are worried about is this:

  • European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules up to 2% of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5%.

Companies who are worried about this are mostly companies which are part of a European country who do not have strict or not enforced data protection regulations.

The directive doesn't require you to purchase expensive hardware, it requires you to have controls in place to, within reason, make sure you are adequately protecting your data. This is quite broad and leaves it open for interpratation (mostly not by you, but by a judge). IDS and IPS needn't be expensive. There are free open-source based HIDS as well. It's up to you to perform a risk assessment and see what software/hardware you will need based on the chance that a threat might materialize.

It will require companies, also small once, to think about data governance and how they manage access to certain personal data. It also gives incentive to remove personal data once it's no longer required. The directive serves as a reminder and incentive for companies in general to think about their data security and what the consequences might be.

Small to medium size enterprises will be excempt for certain requirements:

  • Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
  • No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of €130 million every year. The reform will scrap these entirely.
  • Every penny counts: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
  • Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.

The rules will also be flexible. The EU rules will adequately and correctly take into account risk. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and to the nature of the data being processed.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thanks, this really clears it up. I herd all about these "new" laws, and was concerned about the difference. And i'm hoping to use the increased fine as a method of pushing our clients to be more compliant. Is there a good resource i can research which will detail what the EU expects of smaller companies to achieve compliance? Also does non-compliance leave us as the manager of thier IT systems liable? – IngenuIT Oct 19 '15 at 13:52
  • Don't really know of any resources. The fact you are managing their systems can make you liable, but I'm not sure, check with a lawyer :) – Lucas Kauffman Oct 19 '15 at 14:09