Time for CIOs to act on proposed EU data privacy laws
Image: Angus Greig
Share on LinkedIn

Time for CIOs to act on proposed EU data privacy laws

December 2013

IT leaders and their security chiefs need to start preparing for dramatic changes to EU Data Protection Regulation, says William Long, partner at law firm Sidley Austin.

In a digital world that is increasingly dominated by big data, cloud computing, mobile technologies and social media, and where information security is a top-of-agenda boardroom issue, the role of CIOs continues to develop and take on extra significance.


The European Commission's recently proposed EU Data Protection Regulation is designed to introduce a new data protection regime, which the EC believes would be more appropriate to the global digital economy. And due to the potential impact that it would have on virtually all industries, the regulation has been described as the most lobbied piece of European legislation in history.

The proposed regulation, which will likely come into force some time in 2015, would not only apply to European businesses but to any organization outside the EU that processes personal data obtained through the offering of goods and services to EU citizens, or from the monitoring of individuals. As a result, most companies outside the EU that have European customers would need to comply with the proposed regulation once it's adopted.

Assuming that goes ahead as proposed, there would be significant penalties for companies that failed not observe the legislation. As it stands, non-compliance could expose organizations to fines of up to 5% of their annual worldwide revenues, or up to €100 million ($136m).

Security and notification of security breaches

Under the proposed regulation organizations would be obliged to have security policies that include a process for regularly testing, assessing and evaluating the effectiveness of those policies, as well as procedures and plans to ensure the ongoing effectiveness, confidentiality, integrity, availability and resilience of systems. They will also have to report security breaches "without undue delay." Organizations would consequently have to review their security breaches procedures and policies to ensure compliance with the new security breach notification obligations.
Requirement to appoint a data protection officer
Organizations that process the personal data of more than 5,000 individuals in any consecutive 12-month period, or risky data, would be required to appoint a data protection officer (DPO). The DPO would need to be appointed for a period of four years (if an employee of the company) or two years (if an external contractor) and have expert knowledge.

The proposed regulation would also require businesses to adopt all reasonable steps to implement the necessary compliance procedures and policies to protect personal data. These procedures and policies would need to be reviewed every two years. In addition, businesses would need to implement privacy by design throughout the entire processing cycle, from collection to deletion of personal data, maintain regularly updated documentation and, in certain cases, carry out privacy impact assessments.

While the proposed regulation may not be finally adopted until after the European Parliamentary elections in 2014, CIOs should now start reviewing their organization's information security infrastructure and assess compliance with such potential future obligations.

William Long is a partner in the London office of US law firm Sidley Austin LLP.

First published December 2013
Share on LinkedIn

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy

    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.

    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy

    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy