The Green Sheet Online Edition
January 28, 2013 • Issue 13:01:02
SMEs and important changes to the EU data protection act
Editor's Note: This article was originally published by Business Computing World on Dec. 20, 2012. Reprinted with permission. - Mako Networks Ltd.; all rights reserved.
The European legislative changes planned for 2014 will unify data protection practices across the European Union, standardizing requirements around public disclosure and the penalties if a breach should occur at a business that has failed to adequately protect its data.
For all organizations that store or process payment card transactions, the significant change that 2014 will bring is reclassification of payment card information as personal data, and therefore it will be legally treated as such. This means businesses will have to ensure security and compliance processes are up to scratch to meet the mandated requirements and avoid legal action.
What will this mean for SMEs?
Small and midsize enterprises (SMEs) are no less susceptible to data breaches than larger organizations and are increasingly seen as easier pickings. They often lack the necessary resources, such as a dedicated data controller or security officer. This means that the role of managing data security is often foisted onto the business owner or delegated to an untrained employee.
Fortunately, the existing Payment Card Industry Data Security Standard (PCI DSS), a set of best practice security guidelines set up by the credit card companies, forms a good basis on which to protect both payment and nonpayment data if correctly implemented and continually enforced. There is, however, a counterpoint: a breach based upon a failure to correctly enforce the PCI DSS exposes a merchant to the risk of penalties under both regulatory regimes.
As it stands today, when data is lost or stolen it's only the government and the telecommunications industry that are required to formally declare a breach as having occurred. Once the EU regulation is in place, investigations by the relevant authorities will be standard across all sectors, as will the requirement to proactively notify victims and regulatory bodies alike.
If an organization fails to adequately protect data, fines are posited to cost a business 2 percent of global turnover, and the required forensic investigations are exceptionally disruptive for any organization. Organizations of all sizes have a responsibility to safeguard the personal information of their employees - something still frequently overlooked within the SME sector. A breach of employee data can have as dramatic an effect as losing customer data, since it can easily form the basis for identity theft.
What does 2014 have in store?
Looking ahead to next year, we would advise SMEs to get up to speed on security and prepare for further regulation in their longer-term business plan. The introduction of legislative changes surrounding data protection is a clear message that Europe's lawmakers are taking data protection seriously, and SMEs have no option but to find a way to implement appropriate processes or procedures or face the ignominy of a data breach.
Important factors to be considered now by SMEs are:
- Taking time to fully understand all elements of data protection, including point-to-point encryption, data breach notifications, data transfer compliance, etc.
- Conducting regular and consistent staff training on data protection
- Building long-term relationships with qualified security vendors
- Executing audits and privacy assessments
- Carrying out supplier/partner audits, encryption, agreed service levels, data breach notifications, supplier due diligence
The essential measures needed for merchants to comply with the new European Union Data Protection Regulation of 2014 should be implemented now if SMEs want to truly protect their businesses.
What is the Data Protection Directive
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (known as the Data Protection Directive) is a 1995 European Union directive that regulates the processing of personal data within the EU.
A critical part of EU privacy and human rights law, the directive is now in the process of being updated. "The protection of personal data is a fundamental right for all Europeans," said EU Justice Commissioner Viviane Reding. "A strong, clear and uniform legal framework will help unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation in Europe."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.