Are You Breaking The Law? Understand The Impact Of The European Data Protection Act

Reineke Reitsma

Yesterday, I realized I have a criminal side. Of course, I know that I have a bit of a history for speeding. And I’ve had my share of parking fines. But until yesterday afternoon, I didn't think I had ever violated someone else's property rights. Now I know that I have – and I do it quite regularly as well.

Yesterday, I attended a session by Barry Ryan, Director Policy & Communication at EFAMRO – the European Research Federation. I’m interested in privacy issues and have been attending some of the privacy debates hosted by Esomar. And yet, during Barry’s talk, the real impact of the current European Data Protection Act rules took me by surprise.

Some of the things I learned:

  • The data protection laws talk about data. Data is defined as every type of information in a machine (device). When I’m talking and you’re listening, there’s no data. When I’m talking and you record my voice or take a picture, there’s data.
Read more

Open & Honest - Should Breach Disclosure Be Mandatory?

Andrew Rose

A few months ago I shared a flight with a very pleasant lady from a European regulatory body.  After shoulder surfing her papers and seeing we were both interested in information security (ironic paradox acknowledged!) we had a long chat about how enterprises could stand a chance against the hacktivist and criminal hordes so intent on stealing their data.

My flight-buddy felt that the future lay in open and honest sharing between organisations – i.e. when one is hacked they would immediately share details of both the breach and the method with their peers and wider industry; this would allow the group to look for similar exploits and prepare to deflect similar attacks. Being somewhat cynical, and having worked in industry, I felt that such a concept was idealised and that organisations would refuse to share such information for fear of reputational or brand damage – she acknowledged that it was proving tougher than she had expected to get her organisations to  join in with this voluntary disclosure!

Across the US and Europe we are seeing a move toward ‘mandatory’breach disclosure; however they have seemingly disparate intentions.  US requirements focus on breaches that may impact an organisations financial condition or integrity, whilst EU breach notification is very focussed on cases where there may have been an exposure of personal data.  Neither of these seem to be pushing us toward this nirvana of ‘collaborative protection’.

In the UK, I’m aware that the certain organizations, within specific sectors, will share information within their small closed communities, unfortunately this is not widespread and certainly does not reflect the concept of ‘open and honest’ as my flight-buddy would have envisaged.

Read more