Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Plans to be unveiled this morning will bring regional data protection into the digital age

Plans to be unveiled this morning will bring regional data protection into the digital age

 

Legal experts are urging businesses not to ignore European Union (EU) plans for a Data Protection Directive that are due to be unveiled this morning.

 

Leaked drafts of the plans, due to be outlined by EU Justice Commissioner Vivian Reding, have included the consumer’s “right to be forgotten” by companies storing personal information obtained over the internet, as well as data breach notification requirements and timeframes.

 

The law will overhaul the EU’s existing 17-year-old data protection directive and harmonise existing national laws in 27 EU countries. But experts have questioned the practicality of its application.

 

Vanessa Barnett, partner at law firm Charles Russell, said the plans are intended to give people the right to change their own digital history. “Under plans which are due to be unveiled, it is proposed that individuals will be given extensive new rights over their online privacy. Under far reaching plans - in its most significant act in the area since enshrining a right to privacy at all – the EU finally drags data protection into the internet age,” she said.

 

Facing implementation challenges

 

“These rights are to include more transparency and more control for individuals, including the right to be ‘deleted’. What does that mean in practice?” Barnett asked. “It means the embarrassing photo evaporates and that ‘not meant to be public’ tweet is gone. For individuals this is a welcome move, but the implementation will be challenging. We currently have a mix of rules across tens of member states and harmonisation will be difficult, legally and operationally.”

 

Barnett added that, once harmonised, the compliance costs to businesses would be significant – as will more stringent notification of breach requirements (i.e. within 24 hours). “However, businesses embracing the new regime will benefit by grabbing ‘mind share’ of the market, as individuals more readily choose relationships with online services that actively respect their rights to privacy. We urge businesses not just to react to it, but to plan for it.”

 

Redoubling web security efforts

 

Paul Davis, director of European operations at network security company FireEye, added: “It’s all well and good to legislate that companies must notify the public and the authorities within 24 hours or face a fine of 2% of their global revenue, but the elephant in the room is that most companies are unable to detect external targeted attacks leading to data loss.”

 

Davis said the protection of information is critical to business and the establishment of trust with customers and the notification of data breaches is important, but stressed detection and blocking of exploits should take precedence. “An organisation has to be aware of an attack and they can't report a data breach they have no knowledge of: that’s the real issue facing businesses today. Just because they can't see an attack or are unaware of the subsequent loss of data doesn’t mean it isn't happening.”

 

“Reporting within 24 hours of discovery is admirable but if the company wasn't aware of the breach for 24 days then where do all involved stand?” Davis added. “A greater emphasis on detection and blocking is required: it’s better for businesses and ultimately the customer.”