- Page 1: Data Security Compliance
- Page 2: EU Data Security Compliance
- Page 3: Japan Data Security Compliance
- Page 4: Korea Data Security Compliance
- Page 5: Australia Data Security Compliance
- Page 6: U.S. Data Security Compliance
EU Data Security Compliance
National Legislation:
- The General Data Protection Regulation superseded the Data Protection Directive 1995 in 2016 and will come into effect by May 2018.
- The Directive on Privacy and Electronic Communications 2002, also known as ePrivacy Directive, was introduced to cover all matters not specifically covered by the original directive.
- Countries have augmented the directive (that has been implemented into national law) with additional laws and authorities. For example, the Italian Personal Data Protection Code 2003, was created by the Italian Data Protection Authority (DPA) and set up through Italy’s “Privacy Act”, an administrative independent authority. Similar authorities have been set up in all EU countries to prepare for the processing of personal data.
Scope of Legislation:
- Any company or individual that processes or holds data by which “an individual can be identified” is held responsible for its protection, including third parties such as cloud providers.
- According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer’s IP address.”
Security Method/Requirements:
- Data controllers must implement appropriate technical and organizational measures to protect personal data having regard to the state of the art, the risks represented by the processing and the nature of the data to be protected.
- For example, if you are a service provider, you must take appropriate technical and organizational measures to safeguard the security of your service.
International Transfer of Data:
- Personal data can only be transferred to countries outside the EU and the European Economic Area (EEA) when an adequate level of protection is guaranteed.
- Data exporters and importers bear the responsibility of ensuring that the transfers comply with the requirements of the Directive (such as appropriate safeguards).
- Only the commission has the power to determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.
Other Details:
- Data security must meet “reasonable expectations”. Encryption meets this requirement, resulting in many countries adopting it as the source of data security to meet regulations.
- For example, the Information Commissioner in the UK has issued a range of guidance which makes a range of recommendations including the use of encryption.
- The Directive on Privacy and Electronic Communications recommends the use of encryption as a safeguard.
Continue: Japan Data Security Compliance
Related Posts