Security: Prepared for the EU's New Data Protection Regulation?

As the U.K. prepares to begin enforcing its version of the European Union's E-Privacy Directive later this week, the 27-member nations of the E.U. are considering new draft legislation that would reform and harmonize data protection laws.

1 2 Page 2
Page 2 of 2
  • Encryption. One of the first steps regulators often take following a data breach is to require the adoption of encryption technology. Organizations can sidestep the expense and difficulty of implementing encryption on short notice by implementing it now.
  • Service levels. The data protection laws require companies to have strong written service levels in place with suppliers that are given access to PII. Bäumer and Ostermann note that regulators will look poorly on companies that suffer a data breach if they do not have strong SLAs in place.
  • Data breach notifications. Some European countries already have data breach notification laws in place, and some sectors (like financial services and telecom) are also already broadly subject to such laws. But the new legislation would extend those requirements to all organizations in the E.U. Bäumer and Ostermann recommend company management determine whether their organization is ready to meet the new requirements.
  • Supplier due diligence. They note that in the event of a security incident, regulators will look closely at the pre-contract due diligence undertaken on the supplier. Regulators are likely to look more favorably upon organizations which undertake such due diligence.
    • E-Privacy Compliance

      The new legislation would update the existing E-Privacy Directive to require that opt-in consent be obtained before implementing any device or Internet usage tracking technology. Bäumer and Ostermann say that the biggest challenge many businesses would face is how explain and obtain consent for the usage of such cookies or other tracking technologies without putting off visitors to their Websites. They recommend companies undertake an audit of their cookies and other tracking technologies to assess what they are used for and why. In addition, they suggest companies review their privacy policies with regard to tracking technologies and present notices to users.

      Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams