Read Time: 2 Minutes
There are two new initiatives under construction in the EU: Network and Information Security (NIS) and General Data Protection Regulation (GDPR) legislation.
The GDPR is set to be finalized in early 2015, with compliance becoming mandatory in 2017. The NIS directive – set to be implemented this year – will impose new security and incident reporting requirements on a broader range of companies in the private sector.
Cyber crime and cyber security are gaining awareness among both businesses and consumers after the Snowden relevations and some big security breaches. However, various studies indicate that the level of awareness and preparedness is, regardless of the raising awareness, still rather low.
Why does your company need to care?
The security obligations of European organisations increase notably with the introduction of the new security and privacy laws.
Online privacy has certainly become a major issue in the minds of consumers. In fact, almost half (45%) of Brits believe it’s more important than national security. 89 % of British internet users say they avoid companies that do not protect their privacy. This, in addition to legal obligations, makes data confidentiality an issue of concern for companies as well. As does the fact that the vast majority of data breaches (93%) occur as a result of human error.
So what’s in the legislation?
The new legislation will streamline the security guidelines across the European Union, and will affect all organizations operating within the borders of the EU, regardless of where they store the data that they handle.
The new regulations will require organizations to:
- Inform users of data breaches without undue delay (within 72 hours) after they become aware of them.
- Give end users the right to request a copy of their PII (Personally Identifiable Information) in a portable format that can also be transmitted electronically from one processing system to another.
- Provide the right to erasure: the end user can request the organization to delete all PII if there are no legitimate grounds for retaining it.
- Obtain valid consent to collect PII, consent which can also be withdrawn.
- Obtain regulatory approval to transfer PII outside of the EEA to countries not approved as having adequate data protection measures in place.
- Appoint a data protection officer to ensure compliance (likely applicable to companies with more than 250 employees and/or those who process more than 5,000 data subjects within 12 months, and all public bodies).
- Publish contact information for the data controller.
- Build data protection into the business process, product, and service development (Privacy by Design).
In addition to fines resulting from possible non-compliance, the companies also mention legal costs and lost business due to data breaches as some of their biggest worries. Using only the highest quality anti-malware and business protection products can greatly reduce the risk of security breaches and help eliminate human error.