EU Data Protection – What It Means For Your Business

11 May 2015

Amethyst's Ross Thomson discusses the implications of new data protection legislation

Existing EU data protection law, which provides the framework for UK data protection legislation, is no longer perceived as fit for purpose and does not address many of the issues of the digital age.  As data moves outside the company perimeter and into the cloud, and as the ability to access it from anywhere becomes possible, so the security risks increase.  With personal data breaches becoming increasingly common place there is recognition that the law needs to be updated.  The first draft of the proposed legislation was published in 2012. Since then it has been significantly reviewed and is now likely to be approved and become effective in 2016 or early 2017.

What Are The Significant Changes?

All organisations still have a duty of care to protect personal data entrusted to them.  In the new legislation there is now an explicit requirement [1] to develop a security policy and implement appropriate technical and organisational controls to ensure a level of security appropriate to the risk; i.e. organisations must have ‘the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data’.

Should a personal data breach occur and where the breach ‘is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject[1] the controller[2] shall communicate the personal data[3] breach to the data subject without undue delay’.  However, ‘the communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it’.

Failure on a number of fronts including: failure to develop a security policy and implement appropriate security measures; failure to demonstrate compliance when required to do so; and failure to notify the supervisory authority or the data subject of a personal data breach can all lead to the supervisory authority imposing one of the following sanctions:

  • A warning in writing in the case of first and/or non-intentional non-compliance

  • Regular periodic data protection audits

  • A fine of up to EUR100, 000, 000 or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher.

What Is The Scope Of The Reforms?

The reforms will impact any company doing business with European citizens regardless of where the company is based.  The law will also harmonise existing national legislation, enforce the same data breach process and ensure the same rules are applied to all companies when they do business within the EU.

What Can Businesses Do To Prepare For The Change?

Businesses and organisations can prepare for the changes by:

  • Recognising that they have a legal requirement and duty of care to protect personal data Business leaders need to understand the impact of non-compliance and ensure that they are kept appraised of any business changes that alter the risk profile

  • Identifying what personal data is stored and processed on their systems and the nature of it, e.g. financial information, medical information. It is likely that the fines will be proportionate and depend on the sensitivity and quantity of the data

  • Reviewing the security controls to determine whether they are effective and appropriate for the level of risk

  • Implementing additional security controls (technical, procedural, physical or personnel) to mitigate the risk and demonstrate that they are effective.

How Amethyst Risk Management Can Help You Meet the Data Protection Challenge

Amethyst offers a range of cyber security services that can help you meet the data protection challenge. These range from the provision of a managed encryption service that can make ‘data unintelligible to any person who is not authorised to access it’; to supporting your organisation in achieving ISO 27001 or Cyber Essentials certification.  The benefits of certification are that in addition to improving the effectiveness of your organisations security controls it will demonstrably provide evidence to the supervisory authority that you take security seriously.  Our full range of services include:

  • ISO 27001 gap analysis - analysis of your business in terms of alignment to ISO Information Security standards. This will include a recommended remediation plan plus production of the relevant documentation/material to achieve certification

  • Security systems assessment - assessment of your existing systems to assess how effectively secure data is held

  • IT Health Check - penetration testing of the IT infrastructure and applications, and the recommendation of the measures to cost-effectively treat the identified risks

  • Cyber incident response - identify and remediate the cyber incident

  • Security process review - analysis of your company processes and the provision of advice and guidance on security best practice and standards

  • Compliance audit- audit to review and report against the relevant security standards for your business

  • Security governance review - identifying the relevant legislation and guidance for your business and recommending the required implementation measures

  • Design and architecture support - review and advice regarding design and architecture plans

  • Cyber security governance - support and advice regarding security best practice

  • Systems and supply chain assessments - security assessment against relevant ISO standards

  • Security strategy - ensuring that your corporate security posture is commensurate with the company risk profile

  • Security Policy and standards compliance and related documentation production

  • Security Training – Introductory and bespoke courses and training packages to suit the needs of your business

  • Forensic readiness assessment and planning – providing you with support and advice to implement best practice

  • Managed encryption service – you can benefit from a fully managed encryption service which ensures the security of your data/information assets in the cloud.


    If the service you require is not listed, or if you would like further information, please email us at or contact us here.



  1. < >

    [1] Data subject: Personal data is used to identify a natural person. That person is the ‘data subject’.

    [2] Data Controllers: Decide on the conditions, purposes and manner in which personal data are processed. They may be individuals, firms or public authorities.

    [3] Personal data: Any information which directly or indirectly identifies an individual.

Contact us for more information

<< Back to Latest News items