EU data protection guidelines

14 January 2013

Today, we entrust businesses and public sector organisations with our most personal data.

In return, we have a right to expect that our details are treated carefully and responsibly. Yet despite the growing scrutiny from the authorities and the media, and the subsequent increase in high-profile reporting of data breaches, organisations across Europe continue to lose and accidentally destroy personal and confidential data.

In response, EU citizens are becoming increasingly concerned about who holds what information and how securely this information is held - and rightly so.

Time for a rethink
Viviane Reding, European Commissioner for Justice has decided it is time for an overhaul of European data protection legislation. Her draft European Data Protection bill, announced last January, seeks to introduce more stringent rules and regulations, aimed at boosting protection and privacy for the individual; the organisations handling our data will face an increased burden of responsibility and accountability as a result.

The objective is that the rules be implemented with consistency and clarity across all European Union member states. It is hoped they will also apply to organisations based outside Europe that do business within the community.

The new legislation will replace the EU Data Protection Directive 95/46, an important component of EU privacy and human rights law, under which organisations in both the public and private sector have been operating for thirteen years.

The legislation would be good news for organisations in a number of ways. It would reduce bureaucratic compliance requirements for many organisations and provide a single set of compliance laws across Europe. At the same time, it would impose a greater responsibility on organisations to protect against and acknowledge data breaches. However, this would imply stiffer penalties for organisations that fall short of the legal requirements.

This is no bad thing. Facilities managers need to play a central role in stopping the flow of sensitive information leaking out of organisations. They need to ensure that the right information policies and procedures are in place. All too often, it seems that organisations are mopping the floor after the leak. It's about
time someone got up and turned off the tap.

Far-reaching impact
In particular, the draft EU proposal includes four requirements that would, if adopted, have a far-reaching impact on facilities managers. The first of these is the mandatory notification of breaches.

This recommends that both the relevant Data Protection Authorities (DPAs) and all affected individuals have to be notified within 24 hours of a data security breach, including unauthorised destruction or loss. The data protection authorities must be notified even in the absence of any risk of harm to data.

The devil's details
This requirement raises a number of important questions including the need for data breach thresholds: does this requirement apply to the loss of a single record, for example, and would there be a longer time limit if the data breach involved the loss of millions of customer records? It also raises the question as to whether public and private sector organisations would be able and indeed willing to self-regulate.

The second requirement is that all public and private sector organisations with more than 250 employees, have a named data protection officer. This could have significant resource, training and recruitment implications for many organisations. One option could be to add the responsibility to the remit of the facilities manager.
Thirdly, the proposal opens the way for significantly increased fines.

Under the draft legislation, regulatory authorities would have the powers to impose fines of up to £1 million - or two per cent of turnover for private sector organisations - for failures to comply with the regulation.

That the EU is prepared to authorise this level of punishment highlights just how serious data protection is to be taken. Last, but not least, the draft bill seeks to give individuals the 'right to be forgotten'. In essence, it states that individuals should have greater control over their data and be allowed to demand the removal or deletion of personal records from any organisation that holds them.

If adopted, this requirement would have immense resource implications for organisations and could be time-consuming and complex to implement, particularly where it relates to the fast-moving world of social media. However, the small print suggests that this right is a 'qualified' one.

It remains to be seen how much of the draft proposal makes it into the final legislation; but the announcement of the plan has given facilities managers a valuable opportunity to take on new responsibilities and enhance an organisation's information handling policies. We must seize that opportunity now, rather than waiting for the new EU legislation to be finalised and to come into effect.

By then it will be too late.