Analysis: Data protection – is the EU going too far?

The European Commission (EC) late last month published a draft update to its Data Protection Directive calling for significant changes in the way organisations manage data. The changes are designed to encourage organisations to treat their data with more care. And this encouragement is largely targeted at corporate coffers – one proposal is that firms will be liable to fines of up two per cent of their annual turnover for data breaches, down from five per cent in the original draft following industry criticism.

Vice-president of the EC Viviane Reding set out the proposals, claiming they will save organisations money by harmonising data protection rules across the EU, making it easier for international businesses to understand their obligations. This will save £1.9bn a year in administrative costs, she said.

This move towards a single set of EU data protection rules has been broadly welcomed by businesses, many of whom find the present patchwork of regulations difficult to manage. 

“The collation of harmonised data protection rules across 27 countries will save organisations a headache. Piecing together differing national data protection laws will have felt like one massive patchwork task for organisations, especially as the introduction of cloud computing placed question marks over the exact location of data,” said Jeff Finch, security services product manager at cloud services firm Interoute. 

But other commentators have criticised the proposals. James Mullock, head of data protection at law firm Osborne Clarke points to the increased financial cost of ensuring compliance with the new legislation.

“These rules are a step in the right direction but to claim that they will make life easier for businesses and reduce their costs is misleading. The burden of extra expense at a time when major economies are again faltering is one that businesses could do without,” he said.

The tools and processes that firms will need to comply with the requirement to notify the authorities of a breach within 24 hours will certainly be an added strain on budgets.

“Most companies are unable to detect external targeted attacks leading to data loss,” said Paul Davis, director of European operations at security firm FireEye.

“The protection of information is critical to business and the establishment of trust with customers, and the notification of data breaches is important, but detection and blocking of exploits should take precedence.”