• RSS
  • Twitter
  • FaceBook

Compliance, data protection and keeping safe online in 2012

In Europe revised data protection laws are being presented, as a way to keep companies and customer data more secure. In this article we cover the highlights, controls that can be used to ensure data protection and the elevated level of security now required as a standard.
Ricky M. Magalhaes photo

Data Protection highlights

In Europe the data laws are being revised in the hope to strengthen online security. The laws that have been in place since 1995 have allowed for each EU country to implement the laws as they have felt fit leading to inconsistency in data security across the EU. The proposed singular law for the entire EU is hoped to stop the divergence and reinforce customer confidence in online security.

Although data security law has been in place since 1995, these laws have not taken into account the incredibly fast changes that have occurred and are occurring within the internet realm. They are based on the online activity up to 1995 and a lot has changed since then. The laws need to be adapted to accommodate the online services and challenges of today; they need to cover data protection in areas that were non-existent in 1995.

If one looks at the purposes that the internet is used for today, from social networking to cloud computing, personal and corporate data is at risk. Everyone has the right to the protection of their personal data, thus rules need to be reviewed, adapted and new ones added where necessary to ensure that everyone is getting the data protection that they are entitled to especially in today’s internet age where so much personal data is processed, transferred and stored online.

Some points covered in the new proposal

The following are some of the issues up for consideration in the new data protection proposal.

  • To revise, apprise and improve the laws in the existing EU Data Protection Directive of 1995 and replace the old directive with an updated modernised version.
  • To strengthen the privacy rights of the individual and through this increase customer confidence in data security.
  • To allow individuals more insight, control and management of their own personal data and enable easier accessibility to them. They will be allowed to delete their data if there are no valid reasons not to.
  • To ensure that explicit consent will need to be given from the individual for their personal data to be processed.
  • To ensure the individual’s data would be protected at all times without considering where it is sent, processed or stored even outside of the EU. EU rules will still apply even if the data is not processed or stored within the EU, thus the data protection would be enforced wherever the data is in the world.
  • To achieve high levels of data protection in all areas.
  • To enforce these laws and rules; substantial fines can be incurred if the laws are not followed.
  • To reinforce the confidence and competitiveness within the EU market, through a standard legislation for all to follow.
  • To facilitate and secure international transfer of personal data.
  • To set a data protection standard, to reduce complexity, legal uncertainty and administration costs.
  • To ensure that companies or public organisations have Data Protection Officers employed.
  • To have mandatory notification of data breaches, by notifying both the Data Protection authorities and all the individuals at risk within a 24 hour period of the breach.

Steps in the right direction, companies can start adapting to the new proposed laws

  • All companies exceeding 250 employees and public sector organisations would need to employ named Data Protection Officers, there role would solely involve Data protection. This would incur extra cost in organisations where this is not already accounted for; however it is obligation under the new proposed law.
  • Companies will need to review their existing data management and security policies to ensure that they have a strict data management protection policy in place, which is well managed and continuously managed and reviewed as they would be held accountable for data breeches and would need to acknowledge and report on them if they occur.
  • It would become mandatory to acknowledge data breeches. The company would be required to notify the Data Protection authorities as well as all the individuals who have had their data placed at risk. This notification would need to be made within 24 hours of the data breech.
  • Companies would need to comply with the new legislation otherwise they could incur substantial fines. A management system should be put in place to ensure that the company is complying with the legislation all of the time
  • A good guide to follow with regards to employee and customer data protection can be viewed in the ISO 27002 standards. The ISO 27002 standards recommend the steps to follow to initiate, implement and manage information security.

Some Recommendations to assist in managing your organisations information security

  1. Assess your areas of risk

    Study all the areas within your organisation where any form of personal data could be at risk, be it corporate data, employee data or customer data. Make yourself aware of all the areas where a data breach could possibly occur, even if you think it is unlikely.
  2. Security Policy

    Once your areas of risk have been assessed and realised, steps should be taken to put a security policy in place specifically suited to your company needs with its specific risks in mind.
  3. Managing the security policy

    Once the security policy is in place, it needs to be continually governed and maintained. If it is not enforced it might as well not exist.
  4. Asset management

    An updated record of information assets should be held and maintained. This enables one to know what data in the form of information assets needs to be secured. If the records are not kept up to date the security will not be as effective.
  5. Physical and environmental security

    You need to ensure that physical security measures are in place, maintained and monitored to control who has access to your facilities or computers where your information is processed, or stored.
  6. Access control

    You should have strict controls in place limiting who has access to your data be it corporate, employee or customer data, through your networks, systems, applications etc. The people with access should be limited and be able to be held accountable.
  7. Management of technical security

    Systems and network operations should be controlled and managed
  8. Security surrounding human resources

    Have policies in place that govern the personal information of employees joining the company or leaving the company or being transferred internally.
  9. Development

    Always look to improve on your security. Look at building security into software or applications
  10. Information security incident management

    Have a policy in place if an information breach were to occur. This way the breach can be dealt with appropriately and smoothly. Be sure that your response to a breach complies with legislation.
  11. Business management and data recovery

    Ensure protection, maintenance and recovery policies are in place for the data that is critical to your companies’ processes.
  12. COMPLIANCE

    Most importantly, ensure that your company conforms to legislation around data protection laws. Making sure you are aware of the laws and up to date with the changes. At the end of the day you will be held accountable for any security breach that occurs and will have to deal with the consequences. Make it your business to be familiar and up to date with the law at all times.

Conclusion

advertisement

People are more aware of their personal data being placed at risk and used without their consent, be it that it is transferred between companies to increase their market base or that it is being deliberately misused. We are living in an age where we are more frequently required to offer up our personal data however we are extremely unsure of the security of our data online and are aware of the lack of control we have over that data once we hand it over.

If laws could ensure the security of ones data online it would strengthen the trust between the customer and the various online services which is needed in the ever growing digital or online economy of today.

Having the same set of legislations to follow throughout the EU should be beneficial to both individuals and organisations in the long term. Strengthening confidence in online security and making it easier for companies throughout the EU to comply with the legislation at all times. Having a singular legislation to follow makes it simpler to enforce as there can be no excuse as to which laws were meant to be complied with.

The proposal is only in the reviewing stages so it will still be a few years at least before the new laws are enforced, however it is in the company’s best interest to start making the changes necessary already. It will make the transition much easier and will spread any cost incurred. It should be common practice to ensure that your corporate data and that of your employees and customers are protected at all times, it should not just be in response to a new set of laws.

About Ricky M. Magalhaes

Ricky M. Magalhaes photo Ricky M Magalhaes is an International Information Security business specialist, author and consultant, working with a myriad of high profile organizations. He has been consulting in the information security field for over thirteen years and continues to promote information security best practice, strategic security and creative ways to achieve compliance to many top international entities. He has trained government agencies and other governmental entities on various information security disciplines and has speaks at national and international conferences on behalf of companies software and security vendors.

Click here for Ricky M. Magalhaes's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowSecurity.com Monthly Newsletter, written by George Chetcuti, BSc in Computing & IS (Honors), containing news, the hottest tips, security links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Email Anti-Virus solution?