Skip to the content


EU data protection rules set for shake up

EU data protection

Reports have suggested that an agreement has been reached on the terms of an EU-wide data protection law that will include a single set of rules that apply across the continent.

The law will affect any instance in which a business processes any form of data on individuals, whether they be customers, suppliers or even just users of a website.

The amount of customer data being gathered by companies is continuing to grow, leading to an increased need for effective data security. The recent breach involving UK broadband firm TalkTalk was a timely reminder of the importance of securing such systems.

However, this latest measure from the EU looks set to address the increasingly pressing area of employee data, both in terms of range and quantity.

The new legislation, which will be implemented by 2018, will carry a greater fine for lack of compliance, with the maximum penalty being €20 million or four per cent of a company's worldwide turnover, if that is higher.

The greater penalty may seem harsh to some onlookers, but the main aim behind it, is to sharpen the minds and attention of board members.

The idea is to encourage extensive forward planning and preparation for data protection policies, many of which are having to adapt to increasingly complex and sophisticated threats.

There is also a sense that a strong culture of data security is something required from top to bottom of every organisation, no matter what their size or industry sector.

News of this latest EU measure may will add another interesting angle to the upcoming referendum as it the legislation is likely to replace the UK's current Data Protection Act.

Increasing costs

An unified response to data security has helped add to the case for the UK to remain in the EU. However, there are some analysts that believe the new measures will have a potentially negative impact on some companies, particularly those lacking the skills and expertise needed to implement such a policy.

In a recent column for TechTarget, Mike Chapple, senior director of IT Service Delivery at the University of Notre Dame, said a number of companies would need to appoint a semi-independent Data Protection Officer (DPOs) that would report to regulatory authorities and not to the organisation employing them.

DPOs would also be required to inform government regulators about any data breaches as soon as they are aware of them.

Interestingly, as Mr Chapple points out, the scope of the new regulations will apply to any company dealing in the personal information of EU residents, even if they are not based in the EU.

Even companies based entirely in the United States will have to get their head around the latest measures, or otherwise risk the prospect of a significant fine.

Such jurisdiction is likely to yield court challenges and vocal complaints, but the bottom line is that companies looking to deal with the EU will pay close attention to this regulation as it develops - a point that will be more relevant to UK businesses should the Brexit campaign prove successful.

However, the potential sanctions that could be bestowed on companies that fail to meet the compliance requirements should nevertheless prove enough motivation.