At the start of 2012, the European Commission announced it is to undertake a comprehensive review of the EU’s 1995 data protection rules. Its aim is to strengthen online privacy rights in a bid to boost Europe’s digital economy. Whether the latter will be achieved remains to be seen but, regardless of what it eventually decrees, increased privacy rights will be a given. While we wait for the official changes to be announced, organizations must act now and introduce 21st century data protection.

The legislation itself

As you’d expect, the EU’s 1995 data protection rules govern how personal data is collected, what it is used for and dictates that organizations have an obligation to protect it from misuse.

The key changes to the reform that will make organizations sit up and take notice are:

• Serious data breaches will have to be notified as soon as possible (if feasible within 24 hours)
• Penalties will be increased. For example, in the UK at present, the ICO can penalize organizations up to £500K. Under the revised legislation this would increase to €1 million or up to 2% of the global annual turnover of a company.

Why is it being reformed?

The rulings date back to 1995 when the internet was virtually unheard of by many. While this technological advancement has revolutionized the way many businesses operate – in fact some wouldn’t even exist without it, it has also introduced a number of challenges.

For instance an organization’s perimeter is no longer restricted to physical or even geographical boundaries. While good for trade in allowing practically any business to operate internationally, it can also allow hackers in to, and facilitate the easy transfer of corporate data out of, the safe confines of the network.


Unlike the physically connected desktops of 1995, today data can be transmitted wirelessly between a myriad of devices – Laptops, Smartphones, Tablets, USB sticks and the list goes on. The challenge for organizations is to prevent this multitude of endpoints facilitating data seepage.

Security from the outside

Unfortunately, short of locking data away and never allowing anyone to access it, there is no one thing that can be done to minimize the risk of data breaches. Equally true, doing nothing is unacceptable and leaves the enterprise exposed to risk.

Organizations need to mesh together appropriate procedures and policies to wrap the network in a security blanket that controls how data is accessed and what can be done with it.

The use of domains introduces control for specified groups of users and/or servers through a central security database. Once authenticated to a central server (or domain controller) users’ access to specific services, applications and directories can be restricted according to their job function or security clearance.