In an attempt to make a major upshift in EU Data Protection legislation, proposals have come out which would require any organisation losing personal data to notify those affected. Also included are a right to be ‘forgotten’ and attempts to further harmonise the requirements across different legal regimes, to make life simpler for multi-nationals.

The proposals are out for consultation now, with a deadline of 15^th January 2011 for comments to be received.

I was speaking with one (non-UK) EU Data Protection Commissioner last week, and his feelings were that this data breach notification obligation was very likely to make it into law. Allowing time for consultation and EU processes would mean a new EU Directive in 2012 with likely 18 months to implement at national level.

The impact of this, of course, would be to increase the consequential cost of any data breaches – more than likely raising the costs of a data breach in the EU to similar levels as the US, over $200 per lost record according to Ponemon. With an average data breach exposing 10,000’s of records, that makes the £500k ICO fines look like a rather small component of the overall cost of a breach.

Brian