These technology changes are the main reason that European data protection law has been updated.

As David Evans, Group Manager, business and industry group for the UK Information Commissioner’s Office, stated: “Most of the data protection rules were drawn up before anyone sent an email, let alone used Facebook, so it needs to be updated and at the ICO we have been saying this for a while so we welcome the changes.”

Under current EU data protection laws, only public sector companies, internet service providers (ISPs) and telecommunications operators are required to notify customers in the event of a data breach.

But the newly revised data protection framework will make breach notification compulsory for everyone.

The new framework will mean improved rights for individuals. There could also be much harsher penalties for offenders, including the possibility of heavy fines of up to 3% of a firm’s global turnover.

Although Mr Evans said that the ICO generally welcomed the revised framework, he also expressed some reservations about certain weaknesses in the proposed directive, such as an overly prescriptive approach to certain details.

“We think it should be principles-based and that companies should be able to make the changes themselves rather than have us do it for them,” he said.

Mr Evans also cited the retention of certain categories of data that may be outdated and a lack of focus on privacy risk that could lead to a box-ticking exercise rather than a sincere effort to prevent ‘something bad’.

“Get your lawyers to look at this now,” warned Mr Evans. “What we don’t want is a compliance scramble where people wake up one morning and realise how much has changed. If you think there are things in the rules that horrify you, start working on them now. This is not something just dreamed up for the hell of it. It is there to protect people’s information and we want people to be compliant from day one,” he continued.

Some of Mr Evans’ concern comes from the underwhelming response from UK companies as a result of the 2011 changes to the use of cookies—bits of data stored within website browsers that track users’ online activity.

In one sense these cookies help websites to function more efficiently by remembering previous visitors’ preferences. However, these same cookies can also be used to build up long-term records of individuals’ browsing histories which is a privacy concern for regulators.

Previously websites had to inform users that cookies were in use and give them the option to opt out, however the new ‘consent for cookies’ law requires users to opt in.

The change came into force on May 26, 2011, yet more than one year on, compliance has been less than widespread, conceded Mr Evans. “We decided that we would try to be pragmatic. We would give people a year to be compliant and not enforce it with anyone before then. But it has been challenging,” he said.

Underwriters are similarly concerned about the changes to data protection and how they will affect Errors & Omissions policies and coverage for data breaches.

“These policies are generally broad and likely to have been in place for a number of years,” said Paul Bantick, head of TMB UK Speciality Lines at Beazley.

“Risk managers must make sure there are no exclusions for data breaches and that it covers regulatory-related losses. They should also ensure that the policy covers employees’ data and not just customers and ensure that a crisis management sub limit is added,” he added.

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Cyber News
• More AIRMIC News
• More Regulation News
• More Association News