New legislation is expected to replace the EU Data Protection Directive 95/46 and reduce the bureaucratic burden on organisations, while increasing responsibility to protect data, acknowledge and report data breaches.
There will also be stiffer penalties for companies that do not meet the legal requirements.
Three main requirements included in a leaked draft are:
1. Mandatory notification of data breaches. Recommending relevant Data Protect Authorities are noticed and any affected individuals, within 24 hours of a data protection incident.
2. Requirement of named data protection officers in public sector organisations and all companies exceed 250 employees.
3. Increased fines for non-compliance, up to one million Euros, or up to 5% of an enterprise’s annual world wide revenue.
Another interesting comment is regarding social networking website, which may be required to hand back data to a user, when they close their account, for them to post else where.
Right to be Forgotten
The phrase right to be forgotten means Internet companies would be required to erase all data their held and, in some cases, all traces of that data on search engines, if members withdrew their consent for it to be used.
ISO 27001 Information Security
One way to mitigate the risk on non-compliance under the new data protection legislation is to implement an Information Security Management system to the requirements of ISO 27001.
This risk based standard provides a management framework that will insure correct policies and procedures are in place for all applicable legislation.
In the mean time, we look forward to European Commissioner Viviane Reding’s presentation later today.
Proposal Released: http://ec.europa.eu/justice/newsroom/da … 125_en.htm