Haven't yet found any compelling reason to deploy data security solutions like managed file transfer (MFT) and data loss prevention (DLP)? Looks like the European Union is about to give you one. If provisions in the leaked draft of the regulation for the new European Data Protection Directive get carried over into the final form of the law, EU companies as well as global companies who operate in EU-member states will have to improve IT security in order to comply with the regulation or risk incurring heavy penalties.
Fines and onerous provisions
Such penalties may include fines of up to 5% of a company's annual worldwide turnover. Economic downturn or not, such fines can knock a business down. These penalties don't just cover European companies but also other global companies that operate within the jurisdiction of the EU. So if your company is based in the US but has a subsidiary in Ireland, then that subsidiary may be subjected to these fines if caught violating the rules.
Another alarming provision in the proposed regulation stipulates that, a company who discovers a data breach in its system is only given 24 hours to notify all affected parties and the authorities about the incident.
These and other onerous provisions in the proposed new regulation are aimed at providing improved protection of personal data while preserving the free movement of such data. Although the previous EU Data Protection Directive had practically the same objectives, legislators want the law to be abreast with mounting risks resulting from ever more rapid data collection and sharing activities.
The old regulation was crafted about one-and-a-half decades ago. Since then, the scale of data collection and sharing has grown by many orders of magnitude.
Move to harmonize existing data security laws
To achieve the free flow of data even with the presence of strict regulations, the EU aims to harmonize the rules on the protection of personal data. In the current setup, the EU Data Protection Directive provides member-states with a basic set of principles upon which they build their own legislations from. This can be a pain in the neck, and naturally expensive, for businesses who need to conduct international transfers of personal data on a regular basis.
If, say, your company needs to transfer personal data from your offices in France, Romania, Portugal, and Poland to your other office in Spain, you would have to comply with disparate data privacy laws of each of those countries mentioned.
Because the frequency of transfers across borders involving personal data as well as the volume of data being transferred are both growing rapidly, the EU is now feeling the urgency of harmonizing these laws while ensuring a high level of protection of personal data more than ever.
Other countries also included
In addition, the EU also wants to ensure protection for transfers made from member states to third countries (countries outside EU) or international organizations. In the leaked draft, you can find an entire chapter dedicated to this particular issue.
That chapter mentions of a set of criteria that may be used by the European Commission to assess the adequacy of the level of protection afforded by certain groups within a third country. Whether or not data transfer will be allowed will be based on these assessments.
How a managed file transfer solution can help you achieve compliance
Clearly, traditional methods of file transfer such as regular FTP, which are very vulnerable to a variety of attacks, won't do. To achieve a level of protection that can satisfy possible criteria that may be specified in the new regulation, you need to implement secure file transfers that can support different kinds of protection.
For example, if you employ JSCAPE's managed file transfer solution, you can choose between FTPS or SFTP to protect sensitive data as it travels across the network. JSCAPE MFT Server can even support OpenPGP encryption, which can protect your data once it reaches its destination.
Although we really don't know yet exactly what the EU Data Protection Directive's criteria would contain, being able to provide protection for both data-in-motion and data-at-rest is already a major step towards achieving a high level of protection.
How a Data Loss Prevention solution can help you achieve compliance
One the biggest challenges you will have to face in striving to achieve compliance is identifying the data that need protection. With all that data you collect, process, store, and transmit every day, there will be many areas where your data will be vulnerable to attacks. Pinpointing where the sensitive information are and identifying them from among non-sensitive data is a herculean task.
There is no way you will be able to get the job done cost-effectively if you don't automate. That is why DLP is the best way to handle this challenge. A DLP solution will save you time and unecessary costs by scanning your system for sensitive data.
Do you still have time?
Right now, the draft is in the inter-service consultation stage. Meaning, European Commission executives can now comment on the drafts and subsequent amendments may be made. The final form of the draft is then expected to be released in January 2012, during the World Economic Forum.
If we use the current EU Data Protection Directive as basis, it should then take about 3 years for the final law to be enacted. The current EU Data Protection Directive was ratified in 1995 but the member states started adopting it into their legal system in 1998.
You still have time to implement managed file transfer and data loss prevention solutions. But time is running out, so I suggest you start now. Once the new EU Data Protection Directive takes effect, I assure you, it's going to be very tough for those who haven't prepared for it.