Share

Organisations will find it difficult to identify and carry out data breach notifications within 24 hours, according to industry experts.

Organisations will find it difficult to identify and carry out data breach notifications within 24 hours, according to industry experts.

The new EU data protection laws revealed today will require all companies and organisations to notify the national supervisory authority and affected citizens of any serious data breaches within 24 hours.

"Mandatory reporting of data breaches within 24 hours will be difficult, if not impossible, to comply with," said Bridget Treacy, partner at law firm Hunton & Williams.

Gerhard Eschelbeck, CTO at IT security firm Sophos, agreed, describing the deadline as "very aggressive", and said that this would impact the quality of the breach notifications.

According to Ross Brewer, VP and managing director for international markets at log management solutions provider LogRhythm, this quality issue has already become a problem in the US.

"Unfortunately, all too often [data generated by organisations' IT systems] is managed in an inefficient and disparate manner. This can lead to inaccurate data breach notifications being issued.

Related

"This 'over-disclosure' has become a particular problem in the US. Many companies have found themselves forced into issuing blanket breach notifications, which may even overstate the severity of the incident, due to a lack of visibility within their IT systems," he said.

A fine of up to two percent of annual global turnover for businesses that breach the data protection laws has also been proposed today.

Pat Phillips, practice director at consultancy Xceed, said that this was a particular area of concern.

"The real worries are around those parts of the bill that can directly impact the bottom line. With the threat of a fine of up to two percent of annual global turnover, CISOs will already be girding themselves for safeguarding the business' profitability alongside its data," he said.

Marc Dautlich, head of information law at law firm Pinsent Masons, agreed that the new regulations will have a significant impact on business costs.

"[With the two percent fine] the penalties for non-compliance are extremely large," he said.

"Fixed costs on medium-sized companies will increase as they will need to appoint a data protection officer, no matter how little personal data they actually process in Europe."

However, he noted that the proposed fine had fallen from the fine of up to five percent of global turnover that had been leaked previously. Dautlich also identified a number of potential problems with the system.

"The drop in the maximum potential fines is of course some relief for data controllers, the result of behind the scenes pressure at the [European] Commission in view of the current economic climate.

"Levying fines by reference to global turnover, however, will be a steep learning curve for most data protection authorities in Europe," Dautlich said.

In competition law, where fines-by-global-turnover is standard, the system has been subject to lots of legal challenge, he said.

It raises questions such as, which year's turnover to use to calculate the fine, and whether the turnover of a company, or of the group, is used to work out the penalty.

Meanwhile, Francois Zimmermann, CTO at Hitachi Data Systems UK, wondered if the new laws were future-proof enough.

The proposals announced today will only come into effect two years after the new regulations have been adopted.

"If it is a further two years before internet companies are legally obliged to comply with the latest changes, will they still be relevant?," he said.

"Since the last raft of changes was made to the legislation in 1995, we have seen ever-increasing amounts of personal data routinely transferred in a manner beyond our control.

"To implement effective data management policies, the rules and policies should be updated as part of an evolutionary process, which changes being introduced as and when they are needed, rather than in a raft every few years or so. This will challenge organisations to have an infrastructure in place that can cope with this constant change."