The European Union's reputation has taken a beating in recent years. Many people on this side of the pond have long regarded Europe as having too many rules and too many bureaucrats. And even admirers of Europe have been dismayed by its long-running financial crisis.
But when it comes to data privacy and data security, the new EU rules set a better example than you might expect. To one data security strategist the rules are "an excellent balance" between the privacy needs of individuals and the data management requirements of firms.
This is doubly good news, because the EU rules will probably become the industry standard practice going forward. Europe remains a crucial part of the world market and a gateway to other regions. Any company with global aims will need to conform to European standards. And in fact companies should be complying with these standards even if they were not mandated, as a matter of good practice.
EU data privacy and security policy is built around six principles:
Restrictions on unauthorized pass-along
Protection of data security
Protection of data integrity
Individual right of access
Even if regulatory compliance rules did not exist, these are data security standards that we would want to establish as policy. Without such a policy, companies cannot count on protecting their own confidential data.
The technology tools for providing effective data security already exist. Policy standards also exist, for example as set forth in ISO/IEC 27002 (see below). The challenge is implementing these policies. In the real world, IT departments struggle to keep authorizations up to date as people move through the organization and work group roles change.