New EU data protection laws will demand even better security, claims report

Multi-factor authentication will become the norm as organisations rush to demonstrate that they're taking security seriously

The imminent arrival of the European Union General Data Protection Regulation (GDPR) will require big improvements to organisations' computer security, according to researchers at Queen Mary University of London's School of Law, and lawyers at law firm Pinsent Masons.

However, the new regulation - a form of EU law-making that is directly translated into member states' laws without national parliamentary votes - may end up making it more difficult for customers to access their accounts and services with organisations as a result.

In particular, claim the authors of the report, some data protection authorities are already pushing for multi-factor authentication - such as a password and a code sent to the users' mobile phone - to be more widely used as a means of logging on to services.

And, while the regulation is not prescriptive, the obligation to report data breaches combined with high fines for the loss of personal data will inevitably ratchet up authentication requirements, they argue.

"The mandatory notification of breaches of personal data may encourage the pre-emptive adoption of more robust security measures for processing personal data," the report's authors suggest.

They continue: "Moreover, the very substantial penalties envisaged under the regulation are likely to incentivise compliance generally, and specifically are likely to result in data controllers and data processors taking their data security obligations more seriously. At least from the Commission's text, breaches of the data security obligations would trigger the highest level of fines."

Indeed, the text of the regulation has indicated that organisations could face fines of up to five per cent of their global turnover under the new regime, although if, following a breach, they could demonstrate that they had taken all measures available, the size of the fine would likely be very much less.

"Overall, the regulation is likely to lead to an upwards trend in security benchmarks, particularly where security methods are readily available at non-commercially prohibitive prices. Such security benchmarks will remain dynamic to keep pace with advances in security technologies and techniques. In broad terms the increased adoption of multi-factor authentication would be consistent with this upward trend," they conclude.

Commenting on the report, Pinsent Masons' data protection law expert, Lucy Jenkinson, said: "With reforms to the EU's data protection regime scheduled to be finalised before the end of 2015 and likely to bring about a far stiffer sanctions regime than currently applies, businesses will be keen for greater certainty from EU law makers and the watchdogs that will interpret and enforce the new General Data Protection Regulation.

"This includes on what measures they need to implement to meet the data security requirements, whether that means embedding multi-factor authentication or not."