Protecting employees’ personal data has become a priority for companies operating in Europe, says Judit Barnola, Head of the IT department at Osborne Clarke, Barcelona.
The need to understand and comply with data protection rules across 27 EU Members States is a difficult task, with regulations set to become even tighter.
“Companies need to have a three-fold approach to data protection,” says Rafael García del Poyo, Head of the IT department at Osborne Clarke in Madrid. “They have to understand the legal, technical and organisational requirements.”
All three of these issues vary in different markets, he adds, but companies do require a common approach. “Businesses have to follow the law yet make practical safeguards for data protection compliance too, such as adequate firewalls for servers and documents of security.”
The punishments for data protection breaches can range from fines to involuntary liquidation to imprisonment. Spain, for instance, settled on fixed fines for breaches after reviewing the options, including a percentage of a company’s turnover. The maximum was set at €600,000 per breach and while that is not as high as other countries, the authorities are more vigorous in enforcement.
“The Spanish Data Protection Agency is very proactive in the application of data protection legislation,” says García del Poyo. “It is worth remembering that the €600,000 fine is for each breach, so if a company has multiple breaches, the total fine can be considerable.”
The EU is now also looking at taking a unified approach to data protection by way of a binding framework. The concept is to make a single set of regulations applicable at an EU-wide level, thus creating a uniform approach. If that comes in, companies will have yet another layer of regulations to contend with.