This is part six of a seven-part series on IT compliance. In this lesson, we will explore compliance issues in regulations affecting members of the European Union.
Lesson 6 of 7
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) addresses the need to protect private and sensitive data. For members of the European Union (EU), those issues are the focus of the European Data Protection Directive of 1995.
The European Data Protection Directive, along with the requirements of Basel II and the UK Data Protection Act, offers the major compliance frameworks for members of the EU.
European Data Protection Directive
The directive sets up a regulatory framework that seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU. To do so, the directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data. Another section of the directive calls on Member States to determine more precisely the conditions under which the processing of data is lawful.
The directive states that personal data must be:
- Processed fairly and lawfully.
- Collected for specific, explicit, and legitimate purposes.
- Adequate, relevant, and not excessive in relation to the purposes for which they are collected.
- Kept in a form which permits identification of data subjects for no longer than is necessary.
For details on the directive, which covers the processing of personal data including automatically processed data and manual data in a filing system, see EU Data Protection Directive (EU DPD).
Gramm-Leach-Bliley and Sarbanes-Oxley require that U.S. financial service organizations put safeguards in place to increase data security. For members of the EU, similar safeguards are addressed in Basel II, which requires that financial organizations meet both reporting and risk assessment requirements.
UK Data Protection Act
The UK Data Protection Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. The act covers any organization that collects personal data.
For a comprehensive list of European Union compliance resources, used with permission of RSA Security, see page two.
European Union compliance resources
- EU Data Protection Directive
The directive covers the processing of personal data, including automatically processed data and manual data in a filing system.
The Basel II regulation intends to better align bank capital requirements with underlying risk. Basel II applies to global financial services organizations, specifically internationally-active banks with assets greater than $250 billion or foreign exposures greater than $10 billion.
Data Protection Act
The act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data.
Laundering Regulations 2003
Businesses must appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and maintain records of client identification and transactions for five years.
- The Companies Act
1985 (Investment Companies and Accounting and Audit Amendments) Regulations
These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators.
and Electronic Communication Regulations 2003 (EC Directive)
The legislation protects the public from electronic marketing practices that cause nuisance, offence, and invasion of privacy.
Freedom of Information Act 2000—UK
The act states that public authority information cannot be altered, defaced, or destroyed. Public authorities need to implement effective records and document management systems.
- The Turnbull Guidance
Known as "Internal Control: Guidance for Directors on the Combined Code," this regulation's principal aim is to encourage companies to identify and manage internal and external risk within their organizations.
Annex 11, Computerized Systems
The central consideration of this regulation is that "records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process".
Card Industry (PCI) Data Security Standard
This information security standard enables merchants and service providers to assess their security status by using a single set of security requirements for all payment organizations.
Protection: A Global Challenge
This paper from PeopleSoft provides insight into portions of the European Data Protection Directive, and focuses on some controversial issues, international initiatives, and the Internet. It also describes some of the features PeopleSoft products provide to facilitate enterprises' compliance with data protection laws.
II Compliance: The Data Management Challenge
The New Capital Accord from the Basel Committee on Banking Supervision ("Basel II") effects sweeping changes in the way many financial companies collect and analyze data. This IBM paper discusses the data management challenges that companies will face during Basel II implementations, and how IBM's solutions can help financial companies meet those challenges.
Whether it is Sarbanes-Oxley, Basel II, International Accounting Standards (IAS), HIPAA, or the USA Patriot Act, integrating information in support of compliance is not a one-off proposition. Compliance requires ongoing and constant enforcement. It's never a matter of simply checking a box and then moving to another project. Companies typically dedicate one or two people solely to compliance projects. Read this paper from the Sarbanes-Oxley Compliance Journal to learn how to effectively handle data integration and provide visibility.
- Lesson 1: Sarbanes-Oxley
- Lesson 2: HIPAA
- Lesson 3: Gramm-Leach-Bliley
- Lesson 4: FERPA
- Lesson 5: USA Patriot Act
- Lesson 6: European legislation
- Lesson 7: What's next?
Sign up for the Compliance Regulatory Overview series
If you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.
We want your feedback
Lesson 6 on European Legislation was: