Compliance Regulatory Overview: European Union legislation
http://techrepublic.com.com/5208-11179-0.html?foru... - Dec 5, 2005
Lesson 6 of 7
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) addresses the need to protect private and sensitive data. For members of the European Union (EU), those issues are the focus of the European Data Protection Directive of 1995.
The European Data Protection Directive, along with the requirements of Basel II and the UK Data Protection Act, offers the major compliance frameworks for members of the EU.
European Data Protection Directive
The directive sets up a regulatory framework that seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU. To do so, the directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data. Another section of the directive calls on Member States to determine more precisely the conditions under which the processing of data is lawful.
The directive states that personal data must be:
- Processed fairly and lawfully.
- Collected for specific, explicit, and legitimate purposes.
- Adequate, relevant, and not excessive in relation to the purposes for which they are collected.
- Kept in a form which permits identification of data subjects for no longer than is necessary.
For details on the directive, which covers the processing of personal data including automatically processed data and manual data in a filing system, see EU Data Protection Directive (EU DPD).
Basel II
Gramm-Leach-Bliley and Sarbanes-Oxley require that U.S. financial service organizations put safeguards in place to increase data security. For members of the EU, similar safeguards are addressed in Basel II, which requires that financial organizations meet both reporting and risk assessment requirements.
UK Data Protection Act
The UK Data Protection Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. The act covers any organization that collects personal data.
For a comprehensive list of European Union compliance resources, used with permission of RSA Security, see page two.
Next Page
European Union compliance resources- EU Data Protection Directive (EU DPD)
The directive covers the processing of personal data, including automatically processed data and manual data in a filing system. - Basel II
The Basel II regulation intends to better align bank capital requirements with underlying risk. Basel II applies to global financial services organizations, specifically internationally-active banks with assets greater than $250 billion or foreign exposures greater than $10 billion. - UK Data Protection Act
The act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. - Money Laundering Regulations 2003
Businesses must appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and maintain records of client identification and transactions for five years. - The Companies Act 1985 (Investment Companies and Accounting and Audit Amendments) Regulations 2005
These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators. - Privacy and Electronic Communication Regulations 2003 (EC Directive)
The legislation protects the public from electronic marketing practices that cause nuisance, offence, and invasion of privacy. - The Freedom of Information Act 2000--UK
The act states that public authority information cannot be altered, defaced, or destroyed. Public authorities need to implement effective records and document management systems. - The Turnbull Guidance 1999
Known as "Internal Control: Guidance for Directors on the Combined Code," this regulation's principal aim is to encourage companies to identify and manage internal and external risk within their organizations. - EU Annex 11, Computerized Systems
The central consideration of this regulation is that "records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process". - Payment Card Industry (PCI) Data Security Standard
This information security standard enables merchants and service providers to assess their security status by using a single set of security requirements for all payment organizations.
White papers- Data Protection: A Global Challenge
This paper from PeopleSoft provides insight into portions of the European Data Protection Directive, and focuses on some controversial issues, international initiatives, and the Internet. It also describes some of the features PeopleSoft products provide to facilitate enterprises' compliance with data protection laws. - Basel II Compliance: The Data Management Challenge
The New Capital Accord from the Basel Committee on Banking Supervision ("Basel II") effects sweeping changes in the way many financial companies collect and analyze data. This IBM paper discusses the data management challenges that companies will face during Basel II implementations, and how IBM's solutions can help financial companies meet those challenges. - Complying with confidence
Whether it is Sarbanes-Oxley, Basel II, International Accounting Standards (IAS), HIPAA, or the USA Patriot Act, integrating information in support of compliance is not a one-off proposition. Compliance requires ongoing and constant enforcement. It's never a matter of simply checking a box and then moving to another project. Companies typically dedicate one or two people solely to compliance projects. Read this paper from the Sarbanes-Oxley Compliance Journal to learn how to effectively handle data integration and provide visibility.
Course listSign up for the Compliance Regulatory Overview seriesIf you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox. |
Computerworld Legislation
http://www.computerworld.com/governmenttopics/gove... - Dec 6, 2005
Security Conforms To Regulatory Compliance
By Helen D'Antoni InformationWeek 8 29, 2005 12:00 HM
Business-technology professionals spend nearly one day a week dealing with industry- and government-related issues, according to InformationWeek Research. AMR Research expects compliance-related spending to hit nearly $15.5 billion this year. The cost for a typical company is estimated at approximately $500,000. Regulatory compliance is influencing security practices. Of the 2,540 U.S. business-technology and security professionals who recently participated in our 2005 Global Information Security Survey, an editorial research product of InformationWeek and management-consulting and technology-services company Accenture, more than half report that government regulations have pressured their company to adopt a more-structured approach to information security.
More stories on InformationWeek Research's
U.S. Information Security Survey 2005
The Threats Get Nastier
Sidebar: A New Type Of Worm
Sidebar: Source Of The Problem
Report: U.S. Information Security 2005
Tool: Compare Your Security Practices
Accenture
Security and Privacy Compliance Download the full article [PDF, 178K]
Client SuccesseseCommerce Startup: Secure Infrastructure Implementation European Bank: Electronic Banking Service Reengineering European Mint: Electronic Tax Filing System Infrastructure Health Care Organization: Electronic Information Exchange Solution QinetiQ: Leveraging End User Computing Transformation for Improved Business Productivity Spanish Ministry of Labor and Social Security: Human Services Telecommunications Startup: Technology Environment Security Plan
Global Information Security Research Highlights |
The Research Results are In—Accenture and InformationWeek Global Information Security Survey |
|   I am pleased to share the results of the Accenture and InformationWeek Global Information Security Survey. In its eighth year, the research examines the security drivers, challenges and opportunities as expressed by 2,540 US business-technology and security professionals.
The research reveal that regulatory compliance, internal attacks, and the vulnerability of electronic communications—especially instant messaging and e-mail—are among the key factors reshaping data security systems. |
|
Key Findings:
- Compliance is reshaping corporate security practices, yet is having little impact on technology decisions.
- Security attacks are becoming increasingly more sophisticated, yet basic passwords continue to be the most common line of defense.
- Security breaches are increasingly coming from within, forcing companies to keep tabs on their employees.
- Vulnerabilities in operating systems and applications—including the use of instant messaging—continue to be common points of entry.
- Concern continues to grow over privacy and identity theft, yet organizations are failing to provide rigorous protection of customer data.
