A few months ago we marked three years since the European Union Data Protection Directive was announced and in this writer’s opinion, it’s time for “A little less conversation a little more action”.
This week I attended a roundtable hosted by Fujitsu, whose information assurance consultant John Alcock said that despite it still being two years away, it was time to consider it and it is something that he sees that security people want to get a grip of.
Also in attendance was Neil Thacker, information security and strategy officer EMEA at Websense, who claimed that the delivery of the directive has created interest among businesses, particularly with the appointment of more chief privacy officers. “It is 20 years since the current directive was published, it is time to move onwards and upwards,” he said.
Also on the roundtable was Rik Turner, senior analyst at Ovum, who said that since the publication of the last directive, we have seen cloud, mobile and Big Data happen and the case now is that citizens do not know where data resides.
The general agreement on the roundtable was that “nothing is agreed until everything is agreed”, and this seems to be the case as to why it has been so slow in progressing. Thacker said that from the perspective of the CEO, they want to reduce the cost of the data breach, and in his experience the majority of organisations do not have great data security anyway.
“They may be focused on data security and compliance, and it is usually understand that collecting is one thing, but how you process it and how it flows is usually the bigger problem, as often it is not meant to leave the company but it does,” he said.
Thacker said that the role of the chief privacy officer is similar to that of the data protection officer, as in they will help with legal representatives and the principles of the current directive. Those of you with long memories will recall the plans to introduce a data protection officer (opens in new tab) in every business, and that prediction seems to have been realised.
A survey of 150 IT decision makers by Fujitsu found that 80 per cent believe that more stringent data protection laws are needed, and that 40 per cent do not believe that current regulation around data protection and privacy is adequate to protect an individual’s data.
Also perhaps that “chief” word in the title is one to show that the board is taking notice, as 80 per cent of IT decision makers want to see the regulation discussed at boardroom level. Thacker said that it should be an ongoing concern as what is coming has not been changed.
Asked by IT Security Guru why there has been such a hold up, Thacker said that there are many who want a clear answer, and there is the danger that we will end up with a watered down approach that adds more confusion.
There was a feeling that a delivery date of 2016 or 2017 was more realistic, but considering that it was announced in January 2012, I feel that a lack of communication on the state of the directive has been one of its key features and failings.