|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Laws and Business International Report |
THE EU DATA PROTECTION DIRECTIVE extends the data security provisions of the member states’ current Privacy Laws &Business is data protection laws. conducting a research project to examine the changing and stricter data security requirements in the EU Member States.
The project results will be particular- ly useful for multinational companies wishing to adopt a European-wide data security policy.
Different interpretations of the Data Protection Directive’s (95/46/EC) provisions on data security, different legal cultures and traditions will affect the form that security requirements will take in EU countries’ national laws. A research project, entitled A comparative analysis of the interpreta- tion and planned implementation by EU Member States of the EU Data Protection Directive’s Data Security Provisions, will provide valuable information on the kind of practical security requirements demanded in different EU countries.
The research project is being conducted by Julia Brown, with the help of an Advisory Group consisting of more than 20 organisations in seven countries. These include the offices of Data Protection Authorities in the UK and the Netherlands, Equifax Europe in the UK, Microsoft Europe in France and SAP in Germany.
PRACTICAL GUIDANCE TO ORGANISATIONS
The project takes place at a time when organisations are seeking guidance on the content and impact of the new provisions on their data security policies. Now is the time for making changes to these policies as most organisations are now reviewing their security systems anyway to deal with the millenium problem. The research project analysis will take the form of a survey and inter- views with national Data Protection Authorities and standards organisations. It will examine security provisions in new national laws, the Data Protection Authorities’ data security guidelines and notification procedures. The project is due to be complet- ed in November, and results will then be published in a management report.
KEY QUESTION: HOW TO INTERPRET TERMS
The EU Data Protection Directive’s security provisions can be found in Articles 17 and 19. The Directive req- uires that the “appropriate technical and organisational measures” adopted by data controllers must take into account the “state of the art and the cost of their implementation.” The security provisions should then “ensure a level of security appropriate to the risks represented by the pro- cessing and the nature of the data to be protected.” There are other concepts that, when interpreted by the Member States, may vary significantly. Some countries have already tried to make sense of these rather vague descriptions. The Office of the UK Data Protection Registrar conducted a consultation at the end of last year (PL&B Dec ’97 p.5). The results showed that there is need for different levels of security systems, as small businesses would perhaps want to rely on informal self-assessment rather than adopt a strict set of rules.
CRITERIA FOR MINIMUM SECURITY
One of the questions posed to the national Data Protection Authorities is what are the minimum require- ments for data security. A simple solution would be to agree on a common standard.
In the UK, the existing security standard BS7799 is currently being amended so that it will include Inter- net security. Should it then become a European Standard, it would be a useful tool for assessing compliance with the new security provisions, par- ticularly for larger organisations.
i
Julia Brown is a Master’s student studying Information Technology Security at the University of Westminster, London. For more information about the
European Data Security Project, or if you want to join the Advisory Group, contact Julia Brown at Privacy Laws & Business
Tel: + 44 (0)181 423 1300, Fax: + 44 (0)181 423 4536,
E-mail: info@privacylaws.co.uk
website: www.privacylaws.co.uk
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1998/23.html