Cyber: EU steps up on data security and privacy

27 May 2014

Cyber security experts are telling companies operating in Europe that they need to prepare their businesses for the impacts of upcoming changes to EU data protection laws.

EU data protection is set for an overhaul. On 12 March, the European Parliament supported, by a large majority, proposals for a new EU-wide General Data Protection Regulation – expected to be launched and enforced by 2016.

The proposed changes aim to put people in control of how their personal data is collected, stored, used and transmitted. The laws on data protection have not been updated since the advent of social media and widespread e-commerce; the proposals aim to provide a single set of rules that will replace the national laws currently governing data protection.

Underlining the seriousness with which matters of privacy and security are taken, there is some discussion of penalty caps for serious breaches of up to €100m or 5% of global turnover under the updated EU data protection regulations. For comparison, in the UK, the Information Commissioners’ Office is currently able to impose fines of only £500,000 for serious breaches.

“Financial loss and cost to recover post-breach are both rising,” said Mark Hendry, a Cyber specialist at PwC. “But businesses also need to consider the impact to operations and company reputation. Consumers are increasingly aware of the security profile, attitude and ethos of organisations they transact with. Organisations are increasingly considering the security of their supply chain when they contract and award business.”

Mr Hendry urged that cyber security be considered at the highest level: “Cyber risk should be considered as an enterprise risk – not tucked away on the IT departmental risk register.”