Lesson 6 of 7
In the United States, the Health Insurance Portability and
Accountability Act (HIPAA) addresses the need to protect private and sensitive
data. For members of the European Union (EU), those issues are the focus of the
European Data Protection Directive of 1995.
The European Data Protection Directive, along with the
requirements of Basel II and the UK Data Protection Act, offers the major
compliance frameworks for members of the EU.
European Data Protection Directive
The directive sets up a regulatory framework that seeks to strike
a balance between a high level of protection for the privacy of individuals and
the free movement of personal data within the EU. To do so, the directive sets
strict limits on the collection and use of personal data and demands that each
Member State set up an independent national body responsible for the protection
of these data. Another section of the directive calls on Member States to
determine more precisely the conditions under which the processing of data is
The directive states that personal data must be:
fairly and lawfully.
for specific, explicit, and legitimate purposes.
- Adequate, relevant, and not excessive in relation to
the purposes for which they are collected.
- Kept in a form which permits identification of data
subjects for no longer than is necessary.
For details on the directive, which covers the processing of
personal data including automatically processed data and manual data in a
filing system, see EU Data Protection
Directive (EU DPD).
Gramm-Leach-Bliley and Sarbanes-Oxley require that U.S.
financial service organizations put safeguards in place to increase data
security. For members of the EU, similar safeguards are addressed in Basel
II, which requires that financial organizations meet both reporting and
risk assessment requirements.
UK Data Protection Act
The UK Data Protection
Act makes it a legal obligation for anyone processing personal data to
establish good practice in managing and using the data. Anyone processing
personal information must comply with eight enforceable principles of good
information handling practice. The act covers any organization that collects personal
For a comprehensive list of European Union compliance
resources, used with permission of RSA Security, see page
European Union compliance resources
- EU Data Protection Directive
The directive covers the processing of personal data, including
automatically processed data and manual data in a filing system.
The Basel II regulation intends to better align bank capital
requirements with underlying risk. Basel II applies to global financial
services organizations, specifically internationally-active banks with
assets greater than $250 billion or foreign exposures greater than $10
Data Protection Act
The act makes it a legal obligation for anyone processing personal data to
establish good practice in managing and using the data.
Laundering Regulations 2003
Businesses must appoint a money laundering reporting officer (MLRO) to
train employees on the relevant principals and requirements of the
legislation, verify the identity of new clients, and maintain records of
client identification and transactions for five years.
- The Companies Act
1985 (Investment Companies and Accounting and Audit Amendments) Regulations
These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators.
and Electronic Communication Regulations 2003 (EC Directive)
The legislation protects the public from electronic marketing practices
that cause nuisance, offence, and invasion of privacy.
Freedom of Information Act 2000–UK
The act states that public authority information cannot be altered,
defaced, or destroyed. Public authorities need to implement effective
records and document management systems.
- The Turnbull Guidance
Known as “Internal Control: Guidance for Directors on the Combined
Code,” this regulation’s principal aim is to encourage companies to
identify and manage internal and external risk within their organizations.
Annex 11, Computerized Systems
The central consideration of this regulation is that “records are
accurately made and protected against loss or damage or unauthorized
alteration so that there is a clear and accurate audit trail throughout
the manufacturing process”.
Card Industry (PCI) Data Security Standard
This information security standard enables merchants and service providers
to assess their security status by using a single set of security
requirements for all payment organizations.
Protection: A Global Challenge
This paper from PeopleSoft provides insight into portions of
the European Data Protection Directive, and focuses on some controversial
issues, international initiatives, and the Internet. It also describes
some of the features PeopleSoft products provide to facilitate enterprises’
compliance with data protection laws.
II Compliance: The Data Management Challenge
The New Capital Accord from the Basel Committee on Banking Supervision
(“Basel II”) effects sweeping changes in the way many financial
companies collect and analyze data. This IBM paper discusses the data
management challenges that companies will face during Basel II
implementations, and how IBM’s solutions can help financial companies meet
Whether it is Sarbanes-Oxley, Basel II, International Accounting
Standards (IAS), HIPAA, or the USA Patriot Act, integrating information in
support of compliance is not a one-off proposition. Compliance requires
ongoing and constant enforcement. It’s never a matter of simply checking a
box and then moving to another project. Companies typically dedicate one
or two people solely to compliance projects. Read this paper from the
Sarbanes-Oxley Compliance Journal to learn how to effectively handle data
integration and provide visibility.
- Lesson 6: European legislation
7: What’s next?
Sign up for the Compliance Regulatory Overview series
If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.
We want your feedback
Lesson 6 on European Legislation was: