Data protection: carrot or stick?

Proposed changes to EU data protection laws have been in the spotlight this month.

The European Commission has put forward a raft of proposals that it hopes will standardise data protection regulations across all 27-member states. The new laws, according to the EC, will ensure people will have easier access to their own data and give users the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.

The proposed changes will also compel organisations to notify the authorities about data breaches as early as possible, and mean companies with 250 employees or more will be obliged to appoint a data protection officer.

What’s more, companies that breach these new laws could face fines of up to 2% of their global turnover. It’s little wonder that this is a move that has been met with equal measures of celebration and derision.

While the British government has already begun the consultation process, asking businesses for their views on how these changes will impact them, there have already been reports of dissent from the business sector, with those who see the proposals as another burden on companies making their views loud and clear.

Internet giant Google has already been at loggerheads with EU officials this month, refusing to postpone controversial changes to its privacy controls that, it says, will enable better sharing of the personal data of its hundreds of millions of users across the services it offers.

However, it’s clear that the proposed EU regulations, although aimed in the main at new media companies, have implications for all organisations in the region that store customer information.

Despite accusations of EU meddling, there are good reasons why the law in this area is long overdue for a thorough update.

The current EU directive on EU data protection dates back to 1995. While this may only be 17 years in “real-time”, it’s the equivalent of an entirely different epoch in terms of the amount of data stored by companies and the way that data is put to use today compared with the mid-nineties.

Last year, the prestigious journal Science calculated that the amount of data held around the world had increased by 58% year on year in the two decades prior to 2007 – massive exponential growth that has transformed the world we inhabit.

Who in 1995 could, for example, have envisaged the incredible success of Facebook, a company whose business model is almost entirely based on collecting and sharing personal information? Recent suggestions the company could be worth as much as  $100 billion dollars show just how valuable customer data is to modern-day organisations. By our reckoning, if this evaluation is correct, it means the personal details of every one of Mark Zuckerberg’s 800 million Facebook users is worth around $117 each. And that rudimentary maths begs an important question – would you sell your list of friends, date of birth, and much more for just shy of £100?

When announcing the proposed law changes, the EU’s Justice Commissioner, Viviane Reding, emphasised the intention was to give users, particularly teenagers, greater control of their online identities. Most young people entering the online world today are likely to have a far more open attitude towards how their personal data is used compared with more mature internet users – in a lot of ways this is because they know no different.

Since the previous application of the law in 1995, the online landscape has changed beyond recognition. Today, the default setting is share, and a revision of the laws governing this virtual Wild West are in many ways timely. Perhaps, a tightening of laws in this area will also go some way to improving the shoddy record many companies and organisations have when it comes to data protection.

Annual statistics released this month by the Information Commissioner’s Office show there has been a 58% increase in data protection breaches by companies in the private sector compared with last year. Notable recent cases include the attack on the global Sony PlayStation video game online network, which saw hackers steal the names, addresses and possibly credit card details from 77 million user accounts. WordPress and Dropbox have also revealed recent security breaches while mobile phone operator O2 is reported to be facing a fine of up to £500,000 for privacy transgressions.

The picture is equally bleak in the UK public sector where some 132 local authorities have admitted to a total of 1,035 cases of data loss or theft between 2008 and 2011. More recently, news broke that Brighton General Hospital could be fined £375,000 after computer hard drives containing confidential patient information were stolen.

Many of these examples come not as a result of any malicious intention on the part of companies and public sector organisations, but from the nefarious practices of cyber criminals. But, this is the reality of the online world today and, it would seem, many businesses and organisations need to up their game.

While the threat of being fined 2% of global turnover is a significant stick with which to force companies to apply better data protection measures, the oft-quoted loss of reputation that comes with any breach should not be under-estimated.

While this outcome can be difficult to quantify, recent research from security firm Experian, suggests the average knock to a brand’s value due to a data breach is around the 12 per cent mark, and that it takes firms around a year to fully recover their reputation in the wake of a breach.

There are plenty of reasons why businesses will feel instinctively compelled to resist the proposed EU regulations: the cost of compliance being top of the list.

But perhaps the real question that business leaders should be asking themselves is: “Can we afford not to?”


Leave a comment