Compliance, data protection and keeping safe online in 2012
Data Protection highlights
In Europe the data laws are being revised in the hope to strengthen online security. The laws that have been in place since 1995 have allowed for each EU country to implement the laws as they have felt fit leading to inconsistency in data security across the EU. The proposed singular law for the entire EU is hoped to stop the divergence and reinforce customer confidence in online security.
Although data security law has been in place since 1995, these laws have not taken into account the incredibly fast changes that have occurred and are occurring within the internet realm. They are based on the online activity up to 1995 and a lot has changed since then. The laws need to be adapted to accommodate the online services and challenges of today; they need to cover data protection in areas that were non-existent in 1995.
If one looks at the purposes that the internet is used for today, from social networking to cloud computing, personal and corporate data is at risk. Everyone has the right to the protection of their personal data, thus rules need to be reviewed, adapted and new ones added where necessary to ensure that everyone is getting the data protection that they are entitled to especially in today's internet age where so much personal data is processed, transferred and stored online.
Some points covered in the new proposal
The following are some of the issues up for consideration in the new data protection proposal.
- To revise, apprise and improve the laws in the existing EU Data Protection Directive of 1995 and replace the old directive with an updated modernised version.
- To strengthen the privacy rights of the individual and through this increase customer confidence in data security.
- To allow individuals more insight, control and management of their own personal data and enable easier accessibility to them. They will be allowed to delete their data if there are no valid reasons not to.
- To ensure that explicit consent will need to be given from the individual for their personal data to be processed.
- To ensure the individual's data would be protected at all times without considering where it is sent, processed or stored even outside of the EU. EU rules will still apply even if the data is not processed or stored within the EU, thus the data protection would be enforced wherever the data is in the world.
- To achieve high levels of data protection in all areas.
- To enforce these laws and rules; substantial fines can be incurred if the laws are not followed.
- To reinforce the confidence and competitiveness within the EU market, through a standard legislation for all to follow.
- To facilitate and secure international transfer of personal data.
- To set a data protection standard, to reduce complexity, legal uncertainty and administration costs.
- To ensure that companies or public organisations have Data Protection Officers employed.
- To have mandatory notification of data breaches, by notifying both the Data Protection authorities and all the individuals at risk within a 24 hour period of the breach.
Steps in the right direction, companies can start adapting to the new proposed laws
- All companies exceeding 250 employees and public sector organisations would need to employ named Data Protection Officers, there role would solely involve Data protection. This would incur extra cost in organisations where this is not already accounted for; however it is obligation under the new proposed law.
- Companies will need to review their existing data management and security policies to ensure that they have a strict data management protection policy in place, which is well managed and continuously managed and reviewed as they would be held accountable for data breeches and would need to acknowledge and report on them if they occur.
- It would become mandatory to acknowledge data breeches. The company would be required to notify the Data Protection authorities as well as all the individuals who have had their data placed at risk. This notification would need to be made within 24 hours of the data breech.
- Companies would need to comply with the new legislation otherwise they could incur substantial fines. A management system should be put in place to ensure that the company is complying with the legislation all of the time
- A good guide to follow with regards to employee and customer data protection can be viewed in the ISO 27002 standards. The ISO 27002 standards recommend the steps to follow to initiate, implement and manage information security.
Some Recommendations to assist in managing your organisations information security
- Assess your areas of risk
Study all the areas within your organisation where any form of personal data could be at risk, be it corporate data, employee data or customer data. Make yourself aware of all the areas where a data breach could possibly occur, even if you think it is unlikely.
- Security Policy
Once your areas of risk have been assessed and realised, steps should be taken to put a security policy in place specifically suited to your company needs with its specific risks in mind.
- Managing the security policy
Once the security policy is in place, it needs to be continually governed and maintained. If it is not enforced it might as well not exist.
- Asset management
An updated record of information assets should be held and maintained. This enables one to know what data in the form of information assets needs to be secured. If the records are not kept up to date the security will not be as effective.
- Physical and environmental security
You need to ensure that physical security measures are in place, maintained and monitored to control who has access to your facilities or computers where your information is processed, or stored.
- Access control
You should have strict controls in place limiting who has access to your data be it corporate, employee or customer data, through your networks, systems, applications etc. The people with access should be limited and be able to be held accountable.
- Management of technical security
Systems and network operations should be controlled and managed
- Security surrounding human resources
Have policies in place that govern the personal information of employees joining the company or leaving the company or being transferred internally.
Always look to improve on your security. Look at building security into software or applications
- Information security incident management
Have a policy in place if an information breach were to occur. This way the breach can be dealt with appropriately and smoothly. Be sure that your response to a breach complies with legislation.
- Business management and data recovery
Ensure protection, maintenance and recovery policies are in place for the data that is critical to your companies' processes.
Most importantly, ensure that your company conforms to legislation around data protection laws. Making sure you are aware of the laws and up to date with the changes. At the end of the day you will be held accountable for any security breach that occurs and will have to deal with the consequences. Make it your business to be familiar and up to date with the law at all times.
People are more aware of their personal data being placed at risk and used without their consent, be it that it is transferred between companies to increase their market base or that it is being deliberately misused. We are living in an age where we are more frequently required to offer up our personal data however we are extremely unsure of the security of our data online and are aware of the lack of control we have over that data once we hand it over.
If laws could ensure the security of ones data online it would strengthen the trust between the customer and the various online services which is needed in the ever growing digital or online economy of today.
Having the same set of legislations to follow throughout the EU should be beneficial to both individuals and organisations in the long term. Strengthening confidence in online security and making it easier for companies throughout the EU to comply with the legislation at all times. Having a singular legislation to follow makes it simpler to enforce as there can be no excuse as to which laws were meant to be complied with.
The proposal is only in the reviewing stages so it will still be a few years at least before the new laws are enforced, however it is in the company's best interest to start making the changes necessary already. It will make the transition much easier and will spread any cost incurred. It should be common practice to ensure that your corporate data and that of your employees and customers are protected at all times, it should not just be in response to a new set of laws.