Europe's Data Security Rules: "An Excellent Balance"

Europe's Data Security Rules: "An Excellent Balance"The European Union's reputation has taken a beating in recent years. Many people on this side of the pond have long regarded Europe as having too many rules and too many bureaucrats. And even admirers of Europe have been dismayed by its long-running financial crisis.

But when it comes to data privacy and data security, the new EU rules set a better example than you might expect. To one data security strategist the rules are "an excellent balance" between the privacy needs of individuals and the data management requirements of firms.

This is doubly good news, because the EU rules will probably become the industry standard practice going forward. Europe remains a crucial part of the world market and a gateway to other regions. Any company with global aims will need to conform to European standards. And in fact companies should be complying with these standards even if they were not mandated, as a matter of good practice.

EU data privacy and security policy is built around six principles:

  • Notification
  • Opt-out default
  • Restrictions on unauthorized pass-along
  • Protection of data security
  • Protection of data integrity
  • Individual right of access
  • Enforcement

Even if regulatory compliance rules did not exist, these are data security standards that we would want to establish as policy. Without such a policy, companies cannot count on protecting their own confidential data.

The technology tools for providing effective data security already exist. Policy standards also exist, for example as set forth in ISO/IEC 27002 (see below). The challenge is implementing these policies. In the real world, IT departments struggle to keep authorizations up to date as people move through the organization and work group roles change.

This is the reality of data security. The EU is passing into law a set of rules that we should be following anyway. Which provides a good opportunity for firms to get their data security house in order.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."