As of May 25, 2011, new data breach notification rules will be enforced across the European Union. Despite increased awareness and efforts to implement technology to protect data, breaches seem to occur at an alarming rate. Users–those who trusted their personal information and sensitive data to a third-party organization–deserve to know when that information has been exposed or compromised in any way.
A recent discussion on the Zecurion Group on LinkedIn.com (you may have to at least be a member of LinkedIn, if not a member of the Zecurion Group to read this–joining is free) highlights the upcoming EU mandate, and provides an extensive, detailed look at the elements of the data breach notification rules and how to implement effective compliance.
The report shared in the Zecurion Group ends with this summary:
At any rate, ENISA already provides us with useful examples of practices in Europe, helping the stakeholders in their study of the question:
- The risks should be clearly identified.
- Breaches should be evaluated and prioritised before notifying it to data protection authorities and data subjects.
- The means of notifications should be specifically decided by the operators and used without undue delay.
- Regulatory authorities should strengthen compliance.
- Private operators and data protection authorities should usefully cooperate to enforce the security through this new procedure.