Half of public sector 'unaware of data protection proposals'
Half of public sector organisations are unaware of a proposed European regulation which would increase data protection requirements and increase the level of fines for breaches to €1 million, according to a new survey.
In March, the European Parliament voted strongly in favour of the draft directive, which would unify data protection laws across the whole of the European Union.
But a survey of European organisations revealed that 49% of public sector organisations are unaware of the proposals, which could come into force as early as 2017. This compares to a figure of 36% across all respondents, including private sector firms.
Rik Ferguson, vice president of security research at Trend Micro, said: “With ratification expected in 2014, it’s alarming to see how little is known about such key privacy regulations,
“As organisations look to gain maximum value from a new generation of big data projects, data privacy should be a board level discussion.
“This is not just an IT issue, duty to comply falls to everyone from the receptionist right up to the CEO.”
The survey showed that only 11% of public sector respondents who say they are aware of the proposals rated their knowledge as “very good”, with 30 per cent saying it was good and 34% saying it was satisfactory.
Around half of all those surveyed in the public sector supported the idea of the new regulation.
The top measure identified as necessary to comply with the new rules was increased training (55%) followed by investment in IT security (50%). 18% said that their existing protections were satisfactory to meet the requirements of the proposals, compared to 11% across all sectors.
Currently the Information Commissioners Office can fine public sector bodies and companies a maximum of £500,000 for breaches of data protection laws.
The draft proposals would see this increased to €1 million (£824,000), although the European Parliament is pushing for this to be raised to €100 million.
The proposals would also introduce a right for individuals to force organisations to remove their details from databases if there is no longer a legitimate reason for keeping it.
The draft regulation is now subject to negotiation between the European Parliament and the Council of the EU.
Speaking today at a round table event to discuss the proposals, Vinod Bange, data protection lawyer at law firm TaylorWessing said: “It is clear that this is going to cost organisations money to put themselves in the position of compliance. But it will also cost them if they don’t comply.”
Ferguson said: ““These findings need to serve as a wake-up call, both to businesses and government that these changes are coming and we all need to prepare.”
“If they don’t take action there’s the very real chance that they might wake up with a nasty fine on their hands that could potentially have a major impact on their business.”
The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities
Foreign secretary says he is ‘deeply concerned’ by arrest of two Chinese nationals
PublicTechnology research shows a big spike in the number of contracts awarded to IT security specialists by public-sector buyers
NCSC joins up with counterparts from US and Canada to attribute phishing and malware assaults to Kremlin-linked entities