EC proposes overhaul of data protection legislation

The proposals have already seen a mixed reception from industry

The European Commission (EC) will later today publish a draft update to its Data Protection Directive, which is set to require major changes in the way in which companies manage data privacy.

Speaking about the forthcoming amendment, EC vice president Viviane Reding said that private companies will be required to notify the authorities if they suffer a data breach.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, within 24 hours."

Some industry insiders believe that the rules will add to organisations' costs.

David Fowler, chief operational officer at identity and access management solutions provider Courion, said that this change will force many firms to adopt new processes and technologies to manage the risks of data breach.

"Enforcing 24-hour mandatory reporting of security breaches will put significant pressure on organisations to speed up internal security auditing processes and adopt more effective tools for managing and analysing risk.

"Many of the security breaches that we witnessed last year were caused by inappropriate access to confidential data and poor compliance with data protection policies and regulations."

Fowler added that better management of who is able to access corporate data would be needed.

"To avoid this, businesses need to implement effective access risk management solutions that enable better visibility of access risk and monitor in real-time how sensitive data is being used, accessed and stored."

However, Paul Davis, director of European operations at security firm FireEye, said that many organisations will be unable to comply with the new rules due to a lack of skills and tools to detect data breaches.

"Most companies are unable to detect external targeted attacks leading to data loss.

"The protection of information is critical to business and the establishment of trust with customers and the notification of data breaches is important, but detection and blocking of exploits should take precedence."

The proposals will also aim to homogenise data protection rules across the EU, making it easier for international businesses to understand their obligations.

Reding said this will save businesses £1.9bn per year by reducing administrative costs.

Jeff Finch, security services product manager at cloud services firm Interoute, welcomed this change.

"The collation of harmonised data protection rules across 27 countries will without a doubt save organisations from a headache. Piecing together differing national data protection laws will have felt like one massive patchwork task for organisations, especially as the introduction of cloud computing placed question marks over the exact location of data."

He added that he would like to see this harmonisation extend across the Atlantic to the US.

"The next step is to look for harmonisation with laws in other countries like the US, where the Patriot Act enables authorities to search telephone, email, and financial records without a court order.

"Thus, understanding where data resides and in whose datacentre will continue to be a crucial part of corporate governance for organisations."

The EC proposals are also expected to require organisations to delete an individual's data if there is no reason why it should be kept.

"If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system," said Reding.