Essay Undergraduate 1,505 words

Security manager roles and responsibilities in modern organizations

Last reviewed: June 17, 2013 ~8 min read

Abstract

The impact of a far-reaching and umbrella-like data protection law as proposed by the EU would lead to an exceptionally high level of costs for UK businesses. There is however no information being shared with them about compliance and the proposed law is about to be ratified by the European Parliament. There is much to be done in this area, yet the EU has been dragging its feet in getting the word out to UK businesses.

¶ … U.K. Businesses Clueless Regarding the Costs of Compliance to European Union's Data Protection Reforms

Considered exceptionally restrictive in scope and lacking in any agility or flexibility to meet business needs, the proposed data protection reforms being promoted by the European Union (EU) are completely misunderstood by the majority of UK businesses. Only 40% or four in ten understand the implications of the proposed laws on their businesses, including the costs of compliance, necessary steps to gain EU-wide compliance, and the continual recertification procedures. These findings and more are presented in the results of a survey commissioned by the Information Commissioner's Office (ICO) by London Economics. The study, titled Implications of the European Commission's proposal for a general data protection regulation for business. Final report to the Information Commissioner's Office, is available for download on their website.

The study is paradoxical in its results, showing how badly the EU has provided prescriptive guidance to enterprises throughout UK and the broader EU consortium, while at the same time showing how difficult umbrella-like coverage is to manage for data protection legislation. The EU has attempted this type of very broad, strategic data protection legislation in the past (Iowa Law Review, 1995) (Amidon, 1992), eventually having to settle for data protection legislation specific to a given EU nation as they did with the UK previously (Charkiewicz, 2001).

Despite the many challenges to defining a strategic, umbrella-like coverage of the EU for data protection measures that would be significantly more stringent that the U.S. Department of Defense and other global government agencies, the EU still struggles to gain commitment and support. One of the main contributing factors to its opposition is the lack of understanding of the costs and benefits associated with the proposed legislation (Berrong, 2010). An essential part of the benefits that EU nations will accrue from the legislation include a net reduction in administrative costs of at least £2.0B per year, in addition ot another £2.5B reduced due to better coordination and synchronization of data protection laws across member states. This is net of the costs of £496M that the EU projects will be the costs for businesses to gain compliance to the new laws, and an additional £17M for personal data break monitoring. All of these costs were computing before the United States' PRISM scandal, a troubling development as much of the EU consumer data used by American companies is often managed by the companies involved in that program. Viviane Reding has made it clear that the EU will vigorously defend its right to audit how its data is used and has also said that PRISM has made the EU curtail advanced plans for sharing additional data with the United States (Hancock, 2013).

A Failure To Communicate At Multiple Levels

EU Commissioner Viviane Reding initially completed here data protection bill in 2012, and it has since been under review by the European Parliament. The EU has most recently said that the legislation, while far-reaching and highly regulatory of data use and ownership, will not go into force until 2015 at the earliest in order for EU-based businesses to have the opportunity to better plan for and get prepared for compliance. The EU has deliberately created this legislation to stay consistent with the foundational elements of the U.S. Privacy Act of 1974, in addition to critical areas of the Organisation for Economic Cooperation and Development Guidelines (Crook, 1983). It has also been specifically designed to be in compliance to European Union Directive 95/46/EC, in addition to the Asia-Pacific Economic Cooperation Privacy Framework (Rosler, 1995). With so much invested in this legislation and its probable ratification by the European Parliament imminent (by legislative timeframes), its imperative that British businesses have an opportunity to prepare for compliance (Desai, 2013). Yet according to a study completed by the Information Commissioner's Office (ICO) shows that the majority of UK businesses are completely unprepared to attain compliance with the new data protection bill with 60% not knowing what the implications are for their business in the short- or long-run.

The Information Commissioner's Office (ICO)'s study included interviews with 506 UK-based companies and found 87% of them failed to have even a rudimentary knowledge of how to attain compliance to the directive. In addition, the following findings were published in the reports of the research:

40% of the UK companies in the survey do not understand the 10 major provisions of the bill, with just 2% being able to list all ten.

82% of the respondents don't have a budget to attain compliance to the data protection act as the majority of them don't know how much it will cost, what the overall timeline is for compliance, or how they can manage ongoing compliance efforts.

Of the three types of companies that served in the respondent base, the small and medium businesses (SMBs) were the most confused and completely unaware of the plans. Larger firms with 250 employees or more with 100K recorders were better equipment to gain compliance to the 10 major provisions of the bill.

London Economics completed an analysis of survey results and in it provided a roadmap of the summary of costs shown in the following graphic. Transitory costs including updating legacy data and system development are driven by data minimization and right to be forgotten or (Massey, 2009) data reduction and elimination from EU systems

. Ongoing costs include those that have traditionally have been associated with decreased competitive advantage. An analysis of the results from the study is shown in the following graphic, Summary of Costs.

The Information Commissioner's Office (ICO) study results showed that the direct effects of the proposed legislation would reduce risk of data los and identity theft, enhance consumer trust in online channels, and improve the quality of personal care data, all driving better decisions over the long-term. These are very significant benefits for any business, yet are completely misunderstood and not be acted on today by the majority of UK businesses. A Summary of Benefits is shown below with the new legislation, direct effects and indirect benefits defined as defined in the Information Commissioner's Office (ICO)'s findings.

Conclusion

You’re 79% through this paper. Sign up to read the full paper.

130,000+ paper examples AI writing assistant Citation generator Cancel anytime

References

14 sources cited in this paper

Amidon, P. 1992, "Widening Privacy Concerns", Online, vol. 16, no. 4, pp. 64.
Berrong, S. 2010, "Protecting Personal Data in the EU", Security Management, vol. 54, no. 7, pp. 32.
Charkiewicz, A. 2001, "Database protection in the UK: past, present and future", Copyright World, , pp. 14-17.
Crook, A. 1983, "Data Protection in the United Kingdom, Part 2", Journal of Information Science, vol. 7, no. 2, pp. 47.
Desai, D. 2013, "Law and Technology: Beyond Location: Data Security in the 21st Century", Association for Computing Machinery.Communications of the ACM, vol. 56, no. 1, pp. 34.
Doleys, T.J. 2013, "Managing the Dilemma of Discretion: The European Commission and the Development of EU State Aid Policy", Journal of Industry, Competition and Trade, vol. 13, no. 1, pp. 23-38.
Hancock, B. 2013, "European Commission Warns That PRISM Could Undermine 'Safe Harbor'", Inside US Trade, vol. 31, no. 24.
"EU and US eye privacy in parallel", 2012, The Lawyer, , pp. 8-n/a.
"Symposium: Data protection law and the European Union's directive: the challenge for the United States", 1995, Iowa Law Review, vol. 80, pp. 431-734.
Massey, R. 2009, "PRIVACY AND SOCIAL NETWORKS: A EUROPEAN OPINION", Journal of Internet Law, vol. 13, no. 4, pp. 1-17.
Rosler, D.B. 1995, "The European Union's proposed directive for the legal protection of databases: a new threat to the free flow of information", High Technology Law Journal, vol. 10, no. 1, pp. 105-146.
Original article:
European Union's proposed data protection reforms,
http://www.theregister.co.uk/2013/05/15/ico_data_protection_eu_reform/ n ↗

Amidon, P. 1992, "Widening Privacy Concerns", Online, vol. 16, no. 4, pp. 64.
Berrong, S. 2010, "Protecting Personal Data in the EU", Security Management, vol. 54, no. 7, pp. 32.
Charkiewicz, A. 2001, "Database protection in the UK: past, present and future", Copyright World, , pp. 14-17.
Crook, A. 1983, "Data Protection in the United Kingdom, Part 2", Journal of Information Science, vol. 7, no. 2, pp. 47.
Desai, D. 2013, "Law and Technology: Beyond Location: Data Security in the 21st Century", Association for Computing Machinery.Communications of the ACM, vol. 56, no. 1, pp. 34.
Doleys, T.J. 2013, "Managing the Dilemma of Discretion: The European Commission and the Development of EU State Aid Policy", Journal of Industry, Competition and Trade, vol. 13, no. 1, pp. 23-38.
Hancock, B. 2013, "European Commission Warns That PRISM Could Undermine 'Safe Harbor'", Inside US Trade, vol. 31, no. 24.
"EU and US eye privacy in parallel", 2012, The Lawyer, , pp. 8-n/a.
"Symposium: Data protection law and the European Union's directive: the challenge for the United States", 1995, Iowa Law Review, vol. 80, pp. 431-734.
Massey, R. 2009, "PRIVACY AND SOCIAL NETWORKS: A EUROPEAN OPINION", Journal of Internet Law, vol. 13, no. 4, pp. 1-17.
Rosler, D.B. 1995, "The European Union's proposed directive for the legal protection of databases: a new threat to the free flow of information", High Technology Law Journal, vol. 10, no. 1, pp. 105-146.
Original article:
European Union's proposed data protection reforms,
http://www.theregister.co.uk/2013/05/15/ico_data_protection_eu_reform/ n ↗

Amidon, P. 1992, "Widening Privacy Concerns", Online, vol. 16, no. 4, pp. 64.
Berrong, S. 2010, "Protecting Personal Data in the EU", Security Management, vol. 54, no. 7, pp. 32.
Charkiewicz, A. 2001, "Database protection in the UK: past, present and future", Copyright World, , pp. 14-17.
Crook, A. 1983, "Data Protection in the United Kingdom, Part 2", Journal of Information Science, vol. 7, no. 2, pp. 47.
Desai, D. 2013, "Law and Technology: Beyond Location: Data Security in the 21st Century", Association for Computing Machinery.Communications of the ACM, vol. 56, no. 1, pp. 34.
Doleys, T.J. 2013, "Managing the Dilemma of Discretion: The European Commission and the Development of EU State Aid Policy", Journal of Industry, Competition and Trade, vol. 13, no. 1, pp. 23-38.
Hancock, B. 2013, "European Commission Warns That PRISM Could Undermine 'Safe Harbor'", Inside US Trade, vol. 31, no. 24.
"EU and US eye privacy in parallel", 2012, The Lawyer, , pp. 8-n/a.
"Symposium: Data protection law and the European Union's directive: the challenge for the United States", 1995, Iowa Law Review, vol. 80, pp. 431-734.
Massey, R. 2009, "PRIVACY AND SOCIAL NETWORKS: A EUROPEAN OPINION", Journal of Internet Law, vol. 13, no. 4, pp. 1-17.
Rosler, D.B. 1995, "The European Union's proposed directive for the legal protection of databases: a new threat to the free flow of information", High Technology Law Journal, vol. 10, no. 1, pp. 105-146.
Original article:
European Union's proposed data protection reforms,
http://www.theregister.co.uk/2013/05/15/ico_data_protection_eu_reform/ n ↗