Recent developments in data protection legislation and enforcement measures add up to a new and more hostile compliance landscape for companies, which demands a new way of thinking about compliance, according to a study from the RSA-backed Security for Business Innovation Council.
The report’s recommendations to businesses include taking action to influence legislators in order to keep data protection rules from growing too strict.
The tightened enforcement of existing regulations through expanded powers, higher penalties and harsh enforcement actions, as well as tougher legislation coming down the pipeline, mean “the end of business as usual”, according to the study, titled “A New Era of Compliance: Raising the Bar for Organisations Worldwide”.
“Regulators are moving away from light-touch to more interventionist regulation,” said Stewart Room, a partner at the Privacy and Information Law Group of Field Fisher Waterhouse LLP, a data protection expert and guest contributor to the report. “As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.”
Recommendations for strengthening enforcement include providing data protection authorities with full powers for auditing, halting data processing and engaging in legal proceedings, according to the study.
The study also focused on the increased powers given to the UK’s Information Commissioner’s Office (ICO) in April, including the ability to hand out significant fines, conduct compulsory compliance assessments and the potential to impose civil monetary penalties on data controllers.
Legislators are escalating information protection mandates due to a steady stream of massive data breaches and the resulting public outrage, according to the study.
“Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle,” stated RSA president Art Coviello.
The study made a series of recommendations, including building a programme that gives everyone involved in the handling of sensitive information the resources needed to make risk decisions; creating a consistent set of controls across the enterprise mapped to regulatory requirements and business needs; and moving away from “boilerplate” security agreements toward more comprehensive third-party strategies.
The study also recommended that organisations make efforts to influence legislators to ensure that regulations avoid overly-prescriptive rules.
The council includes executives from JP Morgan Chase, T-Mobile USA, eBay, ABN Amro, BP, Nokia, FedEx and others.
In April the European Commission warned the UK government that it would take legal action over data protection failures related to the Phorm behavourial ad targeting software used by BT.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
After reading the report, one key fact jumped out at me: The move toward stricter compliance will require a new approach to assessing and mitigating risk in near‑real time. It will no longer be enough to evaluate your risk posture once a quarter or when compliance audits roll around. Instead, organizations will need to adopt an infrastructure that allows them to continuously evaluate risk. That means automating the monitoring and enforcement of controls so all levels of the organization‑‑from IT to executive management‑‑know who is doing what and that network events aren't negatively impacting business objectives.