EU Prepares Tough Breach Notification LawMeasure Would Apply to All Who Do Business in Europe
The European Union is expected to approve in October an updated data protection law that spells out uniform breach notification requirements, security expert Jacky Wagner explains.
The proposed data protection directive would apply to any business that targets Europeans with goods or services, no matter where the business is based, Wagner, a managing director at the consultancy PricewaterhouseCoopers, says in an interview with Information Security Media Group.
The new law would require any business that suffers a data breach involving personal information to alert regulators and directly notify affected individuals "without undue delay." EU member nations' current laws "don't have any explicit requirement around notifying either regulators or individuals if there's been some sort of breach of their personal information," Wagner says, except for the EU's E-Privacy Directive, which only applies to telecommunications providers and ISPs, and which only requires authorities to be notified.
Europe already has some of the strongest privacy regulations in the world - except when it comes to breach notifications. "We've seen - over the last several years - most of the states in the U.S. pass notification laws that require explicit notification if an individual's data has been breached," Wagner says. The revised EU law would now include a similar provision. "So that's clearly a significant change. ..."
In addition to tough breach notification requirements, the measure also would require businesses of a certain size to hire a data protection officer.
In an interview with Information Security Media Group, Wagner also discusses:
- A likely timeline for EU data protection changes;
- How the new law should ease the compliance burden for multinational businesses that operate in multiple EU countries and now face a patchwork of country-level regulations;
- How the so-called "right to be forgotten" may be included in the new law.
Wagner, a PwC managing director, leads the consultancy's data protection and privacy practice for the New York metropolitan area. She has nearly two decades of experience in data protection, privacy and compliance programs. Wagner is a chartered accountant in Australia, holds degrees in both accounting and computing, and is also a Certified Information Privacy Professional.