Dealing with Data Security and Privacy Laws

The European Union (EU) has always held personal rights and privacy in high regard, and in January it added 119 pages of proposed tough new regulations and penalties for businesses and government agencies that handle personal data. Every member of the EU has signed on to the European Convention of Human Rights, which protects each person’s “private family life, his home and his correspondence” and will need to comply with the new mandates when they are approved. This new directive, called Directive 95/46/EC - if you’d like to look it up this Duane Morris Alert provides a great overview - will mandate that processing any personal data be:

• Transparent—Individuals must be aware that their data is being processed, legitimately and proportionally.
• Legitimate—Organizations can only process data for explicit and legitimate purposes.
• Proportional—Organizations can only process as much data as is needed for the specific purpose.

Companies and governments will be directly responsible for the way they manage user data, and many expect the costs of this new responsibility to be high. Any organization with 250 or more employees must hire or appoint a data protection officer, and the organization can be fined for noncompliance. They could be liable for between 0.5 and 2 percent of global annual turnover for failing to respond to any request to be "forgotten", for example. This directive will apply to any organization that does business in the EU, whether it is based in the EU or elsewhere in the world.

On the surface, these regulations seem to rein in companies’ use of social media to keep tabs on individuals, and that may have been the original intent. But data breaches remain the biggest risk to personal data and the main focus of current investigations. In fact, the EU has been active over the past several years introducing directives such as the E-Privacy Directive (Directive 2002/58 on Privacy and Electronic Communications) to stem the risks of data breaches. The E-Privacy Directive, for example, requires service providers to notify regulators and sometimes individuals whenever a breach occurs. In addition, Article 30 of the new regulation mandates that organizations implement business policies and technical security that are appropriate for the data they are processing, balancing their use of state-of-the-art technologies with the cost of implementing those technologies.

Whether this new EU directive becomes law depends on agreement among the European Commission, which wrote the directive, the European Parliament, and EU member states, which could take a year or more. In the mean time, each country in the EU is not sitting idly by waiting for EU directives. They have made or are making their own regulations and the initial reactions are mixed to the proposed directive. The UK Information Commissioner has said: "...in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive." The French data protection authority, Commission nationale de l'informatique et des libertés (CNIL), is against the proposals, although they do like parts of it, such as the right to be forgotten. In Germany some feel that the regulation would encroach upon the German Constitution. But it will not just affect European organizations, but any organization operating within the European Union. In the U.S. the proposals also has its critics.

Francesco Pizzetti, the head of the Italian data protection authority - Garante per la Protezione dei Dati Personali - has also stated that the EU regulations may cause undue economic hardship. He also expressed his concern to the Italian Parliament over greater centralization of data protection powers in Brussels.

As with other EU countries, Italy has instated its own data protection agency which protects all types of personal data for public employees. Italy also enforces similar regulations for private companies. The Garante agency recognizes that employers must process a certain amount of personal data, but it requires that they protect their employees’ personal data with very strict controls. As with the new EU regulations, data processing must be necessary, relevant and transparent. The Garante requires that administrators have specific responsibilities for controlling and processing data. Administrators can be individuals or departments, but they must be entrusted in writing and trained to handle data properly. Some of the sensitivity they must understand include health, sex lives, political opinions, membership in trade unions, philosophical or religious beliefs, racial or ethnic origins, salaries, and so forth. They must ensure that any personal data that is legally transmitted does not reach anyone but the intended recipient. In short, anyone responsible for handling personal data of any type has a huge responsibility to ensure that data remains secure.

The City of Siena in Tuscany, Italy, is an excellent example of a public-sector organization that struggled to deal with the data-related regulations. This beautiful and historic city is a serene World Heritage site where tourists relax among the olive groves or get their hearts pounding at the annual horse race in the Piazza del Campo.

Behind this touristy backdrop are 700 employees who provide services to more than 60,000 residents. The city also maintains a large amount of sensitive data on its citizens. To stay in compliance with the Il Garante per la Protezione dei Dati Personali mandates for data security, the city IT officials knew they needed to beef up the city’s data security. The administrators put out a request for proposal, and after much research and consideration decided NetIQ offered the product features that best met their needs. The administrators worked closely with NetIQ partner Net Studio to implement NetIQ Sentinel, Access Manager and Identity Manager. Identity Manager completely automates management of user accounts, so the human resources (HR) department can manage its 700 employees without IT assistance. The system logs each system administrator’s access to ensure complete compliance and easy reporting. The IT department can also respond immediately to external threats and internal policy violations in real time to greatly reduce the risk of security breaches.

Thanks to these solutions, the city has reduced the time it takes to create new employee accounts by 60 percent, and administrators are comfortable knowing that employees and others can access only the data they need to do their jobs.

Threats to data security will only increase in the future, and so will regulations to ensure companies and government agencies have the tools and processes necessary to protect the privacy of employees, customers and citizens. The tools needed to protect data and ensure compliance in a way that not only keeps acquisition costs low but also applies automation to reduce the cost of maintaining your data security are available today - picking the right solutions to met the ever changing regulation landscape is the challenge for the CIO / IT Director or Manager today.

| Follow us on Twitter | Follow us on Facebook