It’s been a busy decade for data privacy. Incidents such as Edward Snowden, the computer analyst whistleblower who leaked top-secret NSA documents, have thrust the issues further in to the public’s consciousness. Before that, Private Manning made Julian Assange a household name after he was convicted of violations of the Espionage Act for leaking the largest ever set of classified documents to the public via WikiLeaks. Worldwide more than 575 million data records were lost or stolen in 2013, including over 1.6 million UK records.
As a result, regulation exists that aims to combat instances of data loss, but it’s a minefield and has spawned a climate of confusion due to its disparate nature and lack of transparency. There is little understanding of what exactly is in place, the impact of breaking these rules and what is on the horizon.
So what can businesses do to navigate and understand the implications of these complex regulations? This year will finally see the establishment of clear and enhanced worldwide privacy regulation and, as a result, data protection compliance can begin to take a front seat in the decision-making processes of anyone involved in the management of data.
So what should you look out for? In March, the European Parliament approved the draft Data Protection Regulation. This regulation will replace the Data Protection Directive – legislation written in 1995 that has become unwieldy in the mature internet era in its attempts to account for the likes of the cloud, social media and apps.
The document will ‘create greater harmonisation across member states’ by giving more power to the users of online services, increasing regulatory enforcement and focusing on transparency in the way data is used and shared. It also proposes stronger safeguards for EU citizens’ data that gets transferred abroad. However, there will be the expectation that business will adopt more proactive governance structures to manage privacy risk, and it considerably increases the fines that can be imposed on companies that break the rules.
The most recent piece of UK news concerns the Data Retention Directive, or the ‘snooper’s charter’, as media has quipped. This Directive aims to allow collection and storage of data from UK citizens’ internet and phone use for up to 12 months for later examination.
In a judgement delivered in April, the European Court of Justice declared the Directive illegal because it “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”. Very little has been written about this Directive, but essentially it has a similar focus to the draft Data Protection Regulation. However it takes a different angle on data handling, focussing on how public authorities investigate criminal activities.
This move to update regulation is not confined to the EU and activity here is being reflected globally as international data privacy laws rapidly expand in complexity and reach. New legislation has emerged in Asia, South Africa, many South American countries and the US is a hive of activity in the wake of Snowden. Even for businesses that don’t operate beyond the EU, it’s important to keep an ear to the ground as these laws develop as they are likely to influence thinking on these shores.
The emergence of this whole tier of new regulation is not to be sniffed at – the fact is there are now huge penalties for losing data. The ICO can fine companies up to £500,000 for breaches of the Data Protection Act. Indeed in March, data protection law specialist Kathryn Wynn of Pinsent Masons claimed the UK government should consider raising the level of fines that the ICO can impose, as it would reinforce the importance of data security.
Regulators are also now proposing fines up to five per cent of global corporate turnover. And for those operating in the financial sector the Financial Conduct Authority can impose unlimited monetary penalties for businesses that slip up with data. It’s clear that compliance should be front of mind for organisations of every size. And to do this, there must be clarity on how data is classified, distinct data classification protocols should exist and clearly communicated policies must be put in place – and actioned.
Businesses must also be mindful of the endpoint. Data leaks often come from vulnerable devices and uneducated end users. IT decision makers must invest in tools that help mitigate against this and ensure staff are educated on the value of data. This is made all the more pertinent when considering the results of our recent Mobile Enterprise Risk research survey, which found that 23% of employees claim that data security is not their responsibility and only 63% of those surveyed claim there is a formal procedure in place when a device is lost.
Implementing these steps will help to secure the operational areas of IT, security and data management and ultimately help identify and manage risks early and coherently. Only then can you ensure your business is neither confounded nor punished by the current backdrop of complex and shifting regulation.