Lesson 6 of 7

In the United States, the Health Insurance Portability and
Accountability Act (HIPAA) addresses the need to protect private and sensitive
data. For members of the European Union (EU), those issues are the focus of the
European Data Protection Directive of 1995.

The European Data Protection Directive, along with the
requirements of Basel II and the UK Data Protection Act, offers the major
compliance frameworks for members of the EU.

European Data Protection Directive

The directive sets up a regulatory framework that seeks to strike
a balance between a high level of protection for the privacy of individuals and
the free movement of personal data within the EU. To do so, the directive sets
strict limits on the collection and use of personal data and demands that each
Member State set up an independent national body responsible for the protection
of these data. Another section of the directive calls on Member States to
determine more precisely the conditions under which the processing of data is

The directive states that personal data must be:

  • Processed
    fairly and lawfully.
  • Collected
    for specific, explicit, and legitimate purposes.
  • Adequate, relevant, and not excessive in relation to
    the purposes for which they are collected.
  • Kept in a form which permits identification of data
    subjects for no longer than is necessary.

For details on the directive, which covers the processing of
personal data including automatically processed data and manual data in a
filing system, see EU Data Protection
Directive (EU DPD)

Weekly tips in your inbox

For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic’s free Compliance Issues newsletter.

Automatically sign up today!

Basel II

Gramm-Leach-Bliley and Sarbanes-Oxley require that U.S.
financial service organizations put safeguards in place to increase data
security. For members of the EU, similar safeguards are addressed in Basel
, which requires that financial organizations meet both reporting and
risk assessment requirements.

UK Data Protection Act

The UK Data Protection
makes it a legal obligation for anyone processing personal data to
establish good practice in managing and using the data. Anyone processing
personal information must comply with eight enforceable principles of good
information handling practice. The act covers any organization that collects personal

For a comprehensive list of European Union compliance
resources, used with permission of RSA Security, see page

European Union compliance resources

  • EU Data Protection Directive
    (EU DPD)

    The directive covers the processing of personal data, including
    automatically processed data and manual data in a filing system.
  • Basel

    The Basel II regulation intends to better align bank capital
    requirements with underlying risk. Basel II applies to global financial
    services organizations, specifically internationally-active banks with
    assets greater than $250 billion or foreign exposures greater than $10
  • UK
    Data Protection Act

    The act makes it a legal obligation for anyone processing personal data to
    establish good practice in managing and using the data.
  • Money
    Laundering Regulations 2003

    Businesses must appoint a money laundering reporting officer (MLRO) to
    train employees on the relevant principals and requirements of the
    legislation, verify the identity of new clients, and maintain records of
    client identification and transactions for five years.
  • The Companies Act
    1985 (Investment Companies and Accounting and Audit Amendments) Regulations

    These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators.
  • Privacy
    and Electronic Communication Regulations 2003 (EC Directive)

    The legislation protects the public from electronic marketing practices
    that cause nuisance, offence, and invasion of privacy.
  • The
    Freedom of Information Act 2000–UK

    The act states that public authority information cannot be altered,
    defaced, or destroyed. Public authorities need to implement effective
    records and document management systems.
  • The Turnbull Guidance

    Known as “Internal Control: Guidance for Directors on the Combined
    Code,” this regulation’s principal aim is to encourage companies to
    identify and manage internal and external risk within their organizations.
  • EU
    Annex 11, Computerized Systems

    The central consideration of this regulation is that “records are
    accurately made and protected against loss or damage or unauthorized
    alteration so that there is a clear and accurate audit trail throughout
    the manufacturing process”.
  • Payment
    Card Industry (PCI) Data Security Standard

    This information security standard enables merchants and service providers
    to assess their security status by using a single set of security
    requirements for all payment organizations.

White papers

  • Data
    Protection: A Global Challenge

    This paper from PeopleSoft provides insight into portions of
    the European Data Protection Directive, and focuses on some controversial
    issues, international initiatives, and the Internet. It also describes
    some of the features PeopleSoft products provide to facilitate enterprises’
    compliance with data protection laws.
  • Basel
    II Compliance: The Data Management Challenge

    The New Capital Accord from the Basel Committee on Banking Supervision
    (“Basel II”) effects sweeping changes in the way many financial
    companies collect and analyze data. This IBM paper discusses the data
    management challenges that companies will face during Basel II
    implementations, and how IBM’s solutions can help financial companies meet
    those challenges.
  • Complying
    with confidence
    Whether it is Sarbanes-Oxley, Basel II, International Accounting
    Standards (IAS), HIPAA, or the USA Patriot Act, integrating information in
    support of compliance is not a one-off proposition. Compliance requires
    ongoing and constant enforcement. It’s never a matter of simply checking a
    box and then moving to another project. Companies typically dedicate one
    or two people solely to compliance projects. Read this paper from the
    Sarbanes-Oxley Compliance Journal to learn how to effectively handle data
    integration and provide visibility.

Course list

Sign up for the Compliance Regulatory Overview series

If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback

Lesson 6 on European Legislation was:

 Very helpful
 Somewhat helpful
 Not helpful