Data breaches are about to cost your firm more than its reputation.
European data protection regulations are about to get a whole lot tougher. The EU’s first update to the laws governing privacy since the 1990s will see a new definition of what personal data encompasses, as well as far more stringent enforcement.
Previously, the regulations only acted as guidance to companies, and punishments were little more than a slap on the wrist. Now, however, the regulations are expected to be passed into law, and the EU will have the power to levy fines of up to 5% of global annual revenues.
With the laws expected to be made official by the end of 2014, CBR attended a recent roundtable held by security firm Trend Micro to see what the consequences will be for your business.
A recent survey conducted by the company found that of 250 British IT decision makers, just half were aware of the upcoming changes, and just 10% knew what steps would lead to compliance.
A quarter didn’t believe it is even possible to adhere to the rules, and another 25% didn’t even think that fines existed – despite the potential for up to €100m penalties being handed down from the EU.
James Walker, Trend Micro security expert, says: "There’s a huge lack of understanding what the regulations are and what impact it’ll start to have on organisations financially. [They don’t know] what they need to do, what changes will happen in their organisation, and among their people, process and technology."
Well, hopefully we can shed a little light on it for you.
The cost of not complying
Vinod Bange, data protection specialist at law firm Taylor Wessing, explains the cost of not complying is currently outweighed by the cost of ensuring your firm adhered to the data regulations in play today. However, "those scales are going to tip the other way completely," he warns.
With non-compliance fines set at up to 5% of global annual turnover, or up to €100m, it pays to get your house in order. This particular tenet of the new regulations is designed to get the boardroom to pay attention.
Bange recommends firms concentrate on getting up to date with the current regulations, so upgrading again once the new ones are enshrined in law isn’t such a big jump.
He says: "Your current baseline up to where it should be. If you don’t it’s going to be an even bigger job."
So, exactly who’s liable?
A lot of uncertainty exists over who’s liable for a data breach when you’re using a third-party to process your data. Max Perkins, insurance data expert at Beazley, says it’s better to be safe than sorry.
"If you’re the data owner that means you have collected the information from a consumer," he claims. "Just because you have made a business decision to outsource it, you’re still the data owner. That doesn’t pass from you.
"If a regulator feels like a business is being reckless with the information that they hold and with respect to their consumers, then that regulator will be punitive and will use its power."