EU to announce new data protection measures on Monday

Impetus

These include a fine of up to 4% of gross global revenues of a corporation that breaks the rules. This lets the banks and other financial institutions off with a slap on the wrist – because financial services companies generally do not have high revenues. Take CRH and Bank of Ireland.

Revenues
BoI about 3 billion (banks in Ireland don’t publish revenue figures – I’m adding up interest and other income to arrive at this estimate)
CRH about 19 billion

Assets
BoI 130 billion
CRH 22 billion

The maximum fine that could be imposed on BoI is therefore about 120 million €. Pocket money for a large bank. For CRH the maximum fine could be about 750 million €. It could be even higher for a large discount retailer.


This method of basing fines on revenues is clearly unfair to low margin, high revenue businesses. Meanwhile high margin, low revenue businesses have little to risk by being data incompetent or if they decide to sell your personal data. It also does not take into account the sensitivity and value of the information at risk in a data management environment. The fact that one purchased a few tonnes of cement from CRH is hardly going to make the front page of the some tabloid newspaper. However, the fact that somebody had 10 billion in assets or whatever, according to bank files, whether this data are correct or not, could cause a lot of problems for most people. Most banks have zero respect for customer confidentiality.

The other measures included in the announcement are mainly dumb. Eg The data collector will have to provide a tick box for the data victim to tick to indicate their agreement with the terms. Big deal. Most companies who collect data have this already, and there is no room for negotiation on the terms to be agreed.

Organisations (or so called “firms” in the press release which technically only means partnerships) will have to appoint a data protection officer. “Firms whose core business activity is not data processing will be exempt from this obligation so as to avoid red tape” so any company that is not collecting sensitive information on large numbers of consumers will have no obligations under this heading.

There is no definition of required standards or what misbehaviour is in the material published so far.

The measures are expected to be announced on Monday next.

The product of more than a year’s “work” of EU bureaucrats. Pathetic and insulting to the European population.

http://www.europarl.europa.eu/news/en/news-room/20151217IPR08112/New-EU-rules-on-data-protection-put-the-citizen-back-in-the-driving-seat

timmywex

Impetus wrote: »

These include a fine of up to 4% of gross global revenues of a corporation that breaks the rules. This lets the banks and other financial institutions off with a slap on the wrist

Impetus wrote: »

The maximum fine that could be imposed on BoI is therefore about 120 million €. Pocket money for a large bank.

120 million is far from a slap on the wrist....

Long overdue that these EU regs start to be implemented, been talked about for far too long at this rate

syklops

Why are you focussing on BoI? They've got a large infosec team with many skilled team members and they spend a lot of money on securing their systems. There's much worse offenders than BoI out there.

dbit

YEs the new laws i was on about ealrier this year fines and pay outs even if proven to be a point of island hop - you will still have to pay out something , so now with the expenses and ownus on everyone , I see this destroying SME's who dont act now and pul up the socks on protection , LArger corporates can take the hit , the smaller guys im afraid this will crush some lazy assed companies .

Impetus

dbit wrote: »

YEs the new laws i was on about ealrier this year fines and pay outs even if proven to be a point of island hop - you will still have to pay out something , so now with the expenses and ownus on everyone , I see this destroying SME's who dont act now and pul up the socks on protection , LArger corporates can take the hit , the smaller guys im afraid this will crush some lazy assed companies .

While the new regulations apply to all types of companies, the penalties for a security breach are far higher against a small or medium sized company than a big bank or a government agency because the fines are based on a % of sales. Banks have small sales relative to profits - ie high margin industry. Governments have zero sales..... ie xxxxxx (I'll leave it up to your imagination). Banks and governments hold far more sensitive info than the average SME does about you.