Data Protection Directive Approved by EU
The new EU Data Protection Directive will grab the attention of every CEO and business owner

The European Parliament has voted in favour of the new Data Protection Directive, with approval for fines to be raised from 2% to 5% of global turnover.

In an email sent to IT Security Guru, Unilever global privacy officer Steve Wright said that the main pillars of the draft are being supported by the EU, and the regulation is also moving to the proposed "one-stop-shop" of a single regime.

Wright said: "These new requirements include the 'right of erasure', data responsibility changes, appointing a privacy officer, new accountability, mandatory breach notification, new sanctions and much more - all of which (according to the EU Commission) will add 'trust' to the digital economy."

He also confirmed that a vote to raise fines for data breaches was to be raised from a proposed 2% of global turnover to 5%, or €100 million (£85m, $138m). 

While the draft regulation has yet to be adopted by member states, the EU Justice Commissioner Viviane Reding said that this will allow two years for compliance to be demonstrated, while risks such as spying and criminal elements need to be considered as part of an over-arching prevent, detect and response strategy.

Data protection: Made in Europe

"The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law," said Reding.

"Tonight's vote also sends a clear signal: as of today, data protection is made in Europe."

Reuters reported that negotiations with EU member states and the European Commission on the law are to start later this year, or early in 2014, when EU leaders will discuss the issue at a summit in Brussels later this week. The aim is to have the legislation agreed before May, when the assembly breaks up and new European Parliament elections are held.

Complex

Eduardo Ustaran, partner at Field Fisher Waterhouse, told IT Security Guru that he felt that this was a "really measured draft" and while he felt that there were some "unreasonable restrictions" on data flows, he called it a "very complex piece of legislation."

He said: "The right to be forgotten has been replaced with the right of erasure, so it is a bit more realistic than what was published in January 2012 which was so draconian. What has appeared now has some unrealistic elements, but it is much more credible, so it is more for search engines and social networking sites."

Asked about the change in fine level, Ustaran said it was a massive change. "What they are trying to do is send a signal out to bug multi-nationals saying 'don't get it wrong as the consequences are serious'," he said.

Practical steps

Amar Singh, chair of the ISACA UK security group, said: "The new directive is certainly going to grab the attention of every CEO and business owner. The obvious plan of action for those who do not want to be awarded the 'made example of' badge is to start planning now.

"Some practical steps should include: understand the gaps and risks (with the data protection context) and start looking for a long term in-house governance, risk and compliance team or outsourcing this function to a firm who can manage this critical function."

Singh also predicted an increase in usage data at rest encryption technologies and a greater assurance from cloud vendors.

Harden systems

Dwayne Melancon chief technology officer at Tripwire, said: "Countries have been given two years to put the EU directive into place and organisations should be using this time to tighten their security programs; ensure that incident detection and response processes are in place and effective; and harden their systems, applications and networks to reduce the risk of breaches.

"The size of the fines connected with the directive are so big they will definitely get the attention of CEOs and boards. It is incumbent upon senior business executives to seek clear answers about security risks from information security leadership to ensure appropriate steps are taken to enable compliance with this Directive before it takes effect."

Ustaran said that this is by no means the final draft, as the European Council will be next to run over the details and make their decisions. "The pressure is now on the Council as they need to produce a draft this side of Christmas and before April to negotiate the final text and it is a massive task in five months to agree on something as high profile as this, but I believe that it will happen as it is too important," he said.

Dan Raywood is editor of IT Security Guru