EU Data Protection Regulation, right to be forgotten and heavy fines for non-compliance – your need-to-know guide to regulation in 2015.
2014 has seen numerous high profile breaches and data leaks, igniting a debate surrounding regulation and technology. CBR highlights what industry experts think the regulatory landscape is going to look like in 2015, providing insight into what 2015 regulations could mean to you and your business.
1. Control returns to the EU
"In 2013 & 2014 security breaches, vulnerabilities and revelations around security were not only common headlines but also serious issues for many businesses. I don’t see that changing in 2015, but what may change is ever increasing regulation and controls to mitigate the impact and return some control to the EU", commented Kevin Linsell, head of service development at Adapt.
"Some of these changes, such as the revised EU Data Protection Regulation are fast becoming law and the impacts, such as the ‘Right to be Forgotten’, can be assessed by an organisation."
"There are other regulations that industries need to prepare for, such as working towards Solvency II ahead of it coming into effect in 2016 in the Insurance sector."
2. Compliance poses challenges
Symantec’s Sian John, Chief Security Strategist, EMEA commented, "2015 will see continued focus and concerns on privacy and how information is being used as the EU looks to implement its new Data Protection Legislation."
"For businesses in Europe, juggling the need to ensure compliance with the new regulations, while keeping pace with the global economy by using their vast amounts of data to drive new services and revenue streams, will create new challenges for organisations in 2015."
3. Regulation will cause IT strategy rethink
Stephen Midgley, VP Global Marketing, Absolute Software commented: "Businesses may think they have a future proof IT strategy in place, but substantial regulation changes on the horizon will force a considerable rethink."
"The EU Data Protection Regulation which should come into force in 2017, will ramp up businesses’ responsibility for data security, increasing sanctions for mishandling it. In short, this means fines of up to two per cent of a business’s annual global turnover and possibly a requirement to report a breach within 24 hours."
"This has ramifications for any strategy that is based around data – like BYOD, storage, internet of things and cloud. Because the changes in law are radical, organisations will have to work hard in 2015 to have a chance of complying and avoiding substantial fines when the new laws come in."
4. Defacto standards for the Cloud
Simon Aspinall, President at Virtustream commented, "As the cloud market matures calls for an official regulatory body will increase. However, the speed with which the industry is moving makes it very difficult to draft regulation, making a traditional regulator (similar to Ofgem in the utilities sector), impractical. In its stead, we will see market pressure and customer expectations from the enterprise, driving defacto standards."
"The closest we could get to a regulatory body in 2015 would be the emergence of a third-party referee for contentious issues such as measuring up-time, SLA levels or insurance liability. This would most likely take the form of publically published information from application/cloud monitoring companies."
5. What about the US?
David Gibson, VP at Varonis, took a look across the pond to see what changes we can expect from the US. He commented, "Early in 2014, after the Target breach there was some support in the U.S. Congress for a national breach notification law. Proposed legislation would put into place for the first time a single set of rules for alerting consumers when their personal information has been exposed."
"Unfortunately, the idea has not advanced any further. More progress has been made in Europe. The highly anticipated EU Data Protection Regulation or DPR would require consumers to be promptly alerted after a data exposure. The new rules are modeled after breach reporting requirements already in place for ISPs and telecom carriers."
"Will the DPR finally be approved in 2015? It’s still possible, although some of its tougher requirements — right to be forgotten and heavy fines for non-compliance — will likely be relaxed. In any case, data security laws are moving in the direction of greater consumer safeguards. We’ll see which side of the Atlantic has more political will to protect consumers in the coming year. The final results will have a strong influence on consumer confidence in global companies."