Partner and Head of Wills & Estate Planning at Andrew & Co Solicitors Helen Newson writes...
The Panama Papers Effect
The Panama Papers case involved the largest breach of data in history. In all, the details of 214,000 entities, including companies, trusts and foundations, were leaked.
The information in the documents dates back to 1977 and goes up to December last year. Emails make up the largest type of document leaked, but images of contracts and passports were also released.
As well as shining a light on the use of overseas tax havens by the rich and the powerful, the case has also highlighted the risk posed to companies by online hackers and the importance of data protection.
Protecting company data from attack is not just about keeping client data safe; it’s just as much about protecting your reputation, your employees and your future competitive edge, as well as keeping inside the law.
Last year a UK manufacturing company had design blueprints stolen and shared with a competitor. Hackers gained access to the information by targeting a job-seeking chief design engineer, who unwittingly downloaded malware through an email after responding to a fake online recruitment profile designed specifically to trap him.
And Morrisons supermarket is being sued under a group litigation order involving more than 5,000 of its employees after personal and financial details were posted online by a disgruntled ex-employee.
The EU legal framework that addresses cyber security and data protection-related issues is being overhauled by the adoption of a new EU Cyber Security Directive and the EU data protection reform, introduced as part of the Digital Single Market Strategy to enhance trust and security for people and businesses using digital services.
The data protection reform is made up of two documents: the General Data Protection Regulation which will enable people to better control their personal data and the Data Protection Directive for the police and criminal justice sector.
It includes a robust set of rules ensuring that people’s right to personal data protection remains effective in the digital age and provides tools for gaining control of our personal data, the protection of which is a fundamental right in the European Union. These include:
- The right to be forgotten: When an individual no longer wants his/her data to be processed, provided that there are no legitimate grounds for retaining it, the data will be deleted.
- The right to know when personal data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and tell the individual involved as soon as possible so that they can take appropriate measures.
- Stronger enforcement of the rules: Data protection authorities will be able to fine companies who do not comply with EU rules up to four per cent of their global annual turnover.
The reform is intended to make the rules easier to understand and apply, and restore trust in consumers. It will replace the current inconsistent patchwork of national laws and introduce a more level playing field as companies based outside the EU will also have to abide by the new legislation when they offer goods or services on the EU market.
Companies will be required to appoint data protection officers; however, as long as data processing is not their core business activity, SMEs will be exempt from this requirement.
The directive for the police and criminal justice sector came into force on 5th May while the General Data Protection Regulation is set to come into force on 24th May. The EU Cyber Security Directive has yet to be approved.
The new rules will become applicable two years after to allow the member states to transpose them into national laws. The Commission will work together with the member states and the data protection authorities – the future European Data Protection Board – to ensure a uniform application of the new rules.