EU proposes radical data protection refresh
The EC does as expected in proposing 24-hour breach disclosure rules and heightened powers for regulators like the ICO.
"Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions."
For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction.
Even though companies such as Sony and RSA have recently been lambasted for not reporting breaches soon enough, many have suggested the rule is too strict and could result in poor reporting of incidents.
"It's not helpful to specify a strict time in the way they've done," Stewart Room, partner in Field Fisher Waterhouse's technology law group, told IT Pro. "The regime that we have for telcos and ISPs, of reporting without undue delay, would be the right regime.
"For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction. What may happen, rather than focusing totally on remedial action, the unfortunate organisation that suffers a breach is going to be focusing more on regulatory action."
Containment, mitigation and recovery should be on companies' minds after a breach occurs, Room added.
Others have suggested the 24-hour rule will lead to inaccurate reporting of data breaches, leading either to over or understated reactions.
ICO boost?
The new EU rules could favour the UK's data protection watchdog, the Information Commissioner's Office (ICO), which has been asking for greater enforcement powers, even after it was given the ability to fine companies up to 500,000.
The EC wants to "further enhance the independence and powers of national data protection authorities (DPAs) to enable them to carry out investigations, take binding decisions and impose effective and dissuasive sanctions, and oblige Member States to provide them with sufficient resources to do so."
It would like to see DPAs allowed to fine companies as much as 1 million or up to two per cent of the global annual turnover of a company.
"I would have thought all the data protection regulators are going to be made up it's like Christmas for them," Room said.
"It's very clear who the winners are - data protection regulators, data protection lawyers, data protection consultants and data protection officers. What's less clear is how do data subjects, controllers and processors win."
-
Dell PowerRack launches at Dell Technologies World 2026 as a ‘turnkey’ networking, storage, and compute system for AIThe newly announced solution is designed to help organizations get up and running at super speed
-
Dell unveils Deskside Agentic AI at Dell Technologies World 2026News Deskside Agentic AI is the latest in the Dell AI Factory with Nvidia stable, with the company saying it further demonstrates its end-to-end enterprise AI capability
-
"Consumer messaging apps were never designed to handle sensitive communications" – Government decision-makers are confused about messaging security, BlackBerry report findsNews Despite official warnings, they're still routinely using WhatsApp for confidential communications
-
‘Reducing reliance on foreign tech infrastructure is key’ to European tech success – and its survivalNews MEPs have once again called for decreased reliance on foreign tech infrastructure
-
EU lawmakers want to limit the use of ‘algorithmic management’ systems at workNews All workplace decisions should have human oversight and be transparent, fair, and safe, MEPs insist
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Cyber pros say the buck stops with the board when it comes to security failingsNews Fines, sanctions, and even prosecution are all on the table when it comes to cyber failings, practitioners believe
-
Scania admits leak of data after extortion attemptNews Hacker stole 34,000 files from a third-party managed website, trucking company says
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
European Commission calls for cyber security proposalsNews With a special focus on healthcare, the Commission is looking to allocate €145.5 million
