It is essential for any business operating in the modern world to have knowledge of the data protection laws and how it is affected by them – even if in some special circumstances they would find themselves to be exempt. If valuing how much confidence customers and clients place on how a company treats their data is not enough of a motivation to raise standards then the advent of severe penalties in the coming years should certainly make business owners and operators pay more attention.
According to Lisa Jackson, ICT Solicitor at Leman Solicitors in Dublin, (and a former colleague of ours from a previous incarnation of Technology Voice);
“New laws come in the period surrounding 2015 and if you are found not to be in compliance with them then the penalty for that could be 2% of your global turnover.”
In addition to these rather steep fines there is the possibility of intensely negative PR that could ruin a person’s business reputation for many years into the future if not for life. Lisa says that depending, “On the nature of your breach you could end up in the papers. Certainly, if the Data Protection Commissioner (DPC) catches wind that you are not in compliance than he can come down and investigate you.”
Data controllers who repeatedly or seriously run afoul of the relevant data protection laws can find themselves featured in case studies on the DPC website with the possibility of having their names mentioned again in the annual reports. The DPC are aware that there is a process of education and awareness that needs to take place so there is no formal naming and shaming policy.
However, being known as a person who knowingly flouts data protection legislation would have a hugely negative outcome for a number of reasons:
- Newspaper journalists who check these posts regularly may publish stories which can only reflect badly on a company.
- It opens a path for litigation from disgruntled users.
- It may put a real cap on growing the business as future investors will be reluctant to be involved with transgressors of a law that deals with such a sensitive issue.
In January 2012, The European Commission proposed a comprehensive reform of the data protection legislation. This was largely in response to how massive technical progress and innovation has been since the creation of the original original Data Protection Directive of 1995.
These directives define essential principles concerning data protection that allow law-makers in the EU to formulate and enact the appropriate legislation. For data to be secure there first should be clarity about what constitutes secure data and clear protocols for the handling of private and personal information.
Lisa points out that, “Without legislation and without any sanctions to penalize companies or guidelines to set out the best practice for companies to follow when protecting personal data they hold belonging to someone else then there would be no effective security at all and this would have a huge impact on personal privacy.
“The law just sets out the ground rules. It is the basis on which everything else is built.”
Although, in Europe the regulations of individual countries are not closely harmonized (each of the member states have been allowed to implement the directives a little bit differently,) things are very different for a non-member nation.
“Europe is the most secure place for data.” Lisa says, “It is the place where the rules are most stringent. When transferring data to and from America, Americans need to actually step up to our laws.”
“If they don’t adhere to those rules then they are not allowed to transfer data.”
While some may view yet more legislation as burdensome there is a tremendous upside for complying with both present and future data protection regulations.
“You are proving that you have a certain amount of security around your data and that you put a certain amount of thought into your systems.”
In July 2012, Lisa was involved with a seminar that was ostensibly concerned with software licensing. However, according to Lisa, in the ensuing Q&A session, four out of every five questions was about data protection.
“Pretty much every one in the room had a question about data protection. I think there is a lot of misinformation out there and people don’t know how to comply.”
To fulfill the clear demand for more information about data protection Lisa has organized a special event which she will be chairing,
LOCK UP YOUR DATA – Data Protection Panel Discussion”. It is free and takes place on Friday, 14 September 2012, 2:30pm – 4:30pm.
One of the speakers will be the Data Protection Commissioner, Billy Hawkes.
Apart from simply discussing aspects of the relevant legislation at hand Lisa also hopes that the event will be seen as an important and positive response to the seemingly all-pervasive talk in the media about leaks and breaches where security hasn’t met the standards that it should have.
“Why not have an event that was positively focused and gave useful information on how to protect data for small to medium companies so they can learn to comply with their obligations rather than just hearing about all the negative press surrounding data security breaches and failures to uphold data protection obligations.
“This is also an event where you can informally ask the Data Commissioner the questions that concern you.”
But even if you should you find yourself in the unfortunate position of being unable to attend Lisa makes this particularly pertinent suggestion for companies starting out and have not yet registered with the DPC.
“The important thing to do when building your company from the ground up is to start thinking about your obligations at that point. Not to leave it two years down the line, when you haven’t registered and you are now going cap in hand to the Data Protection Commissioner to excuse yourself for not having registered for the previous years when it is so easy to do and it is so inexpensive.”
Ireland – Data Protection Commission
US – Safe Harbor Framework Basically a self-certifying process organized by the US Department of Commerce to enable companies to comply with EU data protection regulations.
LOCK UP YOUR DATA – Data Protection Panel Discussion Free: Friday, 14 September 2012, 2:30pm – 4:30pm