Data protection is jostling for pole position as an area that CFOs should firmly fix both eyes on. Rarely do you see a juxtaposition of regulatory, technology, enterprise and consumer attitudes changing with one focal point.
The blurred distinction between when work ends and when personal life starts does not look to get any clearer as technology allows us to work from personal devices, and play from work devices. The challenge this has on enterprise security is often not considered with sufficient seriousness until it is too late.
A couple of years ago the UK Information Commissioner’s Office (ICO) was granted increased powers, with the ability to impose a maximum fine of £500,000 for those who are not careful with the personal data that they were entrusted with. Since that increased power was granted to the ICO, the data protection watchdog has certainly not been shy in using it.
The current data protection law however is not seen as fit for purpose given the globalised, outsourced, social media and cloud driven world of commerce in this day and age. The biggest change to European data protection since 1995 finally arrived with the publication of the draft Data Protection Regulation last year, which is expected to come into force within the next 18 months.
What these new proposals show is that data protection sanctions look set to go way off the scale in terms of what we are used to right now. The sting in the tail, which did not exist before, is that there is a provision to calculate a fine that is based on a percentage of annual global turnover.
Businesses that fail to get it right, especially in the areas of cloud storage, data centres and data transfers, and new requirements that make ‘compliance’ a fundamental frontline obligation, could potentially lead to massive fines.
For major organisations, this could be to the tune of tens if not hundreds of millions of pounds, with ‘tier three’ penalties based on 2 per cent of global annual turnover. So businesses will no longer be able to pay lip service to data protection, compliance will have to be an integrated, transparent and demonstrable part of the business if a massive whack of a fine is to be avoided.
Other areas to look out for include:
Payment by mobile phones and contactless card payments is likely to grow exponentially in the coming year. The European Commission recently gave approval to the joint venture between Vodafone, EE and Telefonica to set up a company to develop mobile commerce in the UK. In addition to a mobile wallet service, the operators are proposing to launch a data-based mobile advertising network which will give businesses access to over 37 million of their customers. Concepts such as these are likely to create enormous data protection challenges.
‘Bring Your Own Device’ or BYOD
Such schemes are likely to continue to see an increase in 2013. In Germany, for example, 80 percent of businesses are expected to have BYOD schemes in place by the end of next year, creating data protection and privacy challenges.
Facial recognition technology
Social media players using facial recognition technology were under fire from privacy campaigners over the course of 2012 but this is unlikely to act as a deterrent to further development of this technology for commercial and marketing purposes. As the application of facial recognition technology broadens, the data protection issues are likely to become more complicated.
Even if some of these developments do not appear on the horizon as soon as commentators believe they will do, there is still enough to give CFOs food for thought. On the one hand are technology and legal change and on the other hand is the issue of liability. Given what we may see happening to the latter, looks like it is set to outstrip the decision making power of all but the board on such matters in a corporate setting.
Vinod Bange is the UK partner leading the data protection team at international law firm Taylor Wessing. He has specialised in data protection and information law for over a decade.