What do SMEs need to know about new EU Data Protection rules?

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Tuesday August 5, 2014 at 8:39am
In March 2014 the European Parliament agreed at committee level to the EU Commission’s data protection reform. It appears that EU heads of state have committed to a timely adoption of these planned new laws. But what do they mean for business owners?

There are three fundamental areas that businesses should now be aware of:

  1. One continent and one law. There will be one single framework law covering Data Protection that all member states must comply with.
  2. There will be a ‘one stop shop’ approach for organizations. There will be one authority to deal with not various as there are presently.
  3. Rules apply regardless. Businesses operating outside the EU but doing business within it, will have stronger adherence requirements.
The new regulator will have powers to fine up to two per-cent of an organization’s annual turn-over.

What do new data protection rules mean for SME’s?
There have been conflicting reports with statements of byzantine bureaucracy for the SME sector. It appears at present that the planned EU legislation will benefit SME’s:

  1. SME’s will not have to appoint a Data Protection Officer, as long as data operation is not their fundamental business activity.
  2. There will be no more notifications for SME’s. Watch this space though.
  3. Subject access fees may increase. Although we await more details.
  4. Impact Assessments. There appears to be no legal obligation to conduct an impact assessment unless risks define the need.

Of course, SME’s should keep an eye on the up-dates to the proposed EU Data Protection Directive to see exactly how they will affect their particular business. Although there appears to be a more practical approach to regulation for SME’s it’s worth remembering that other regulators such as the FCA etc. can impose huge fines for data loss.

Programmes of good data handling, updates in regulation and reviews of information security can help prevent breaches of data protection law. The international standard for Information Security management, ISO27001 helps to apply information security controls and procedures within a business and BS10012 the PIMS Standard help organisations comply with data protection requirements.

As information security management consultants we know that a formal standard can help provide a structure to the data control and management within your business, but whether you pursue ISO27001 or not, if you are a business that handles data to need to comply with data protection requirements and keep an eye open for any changes in EU rules.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here