Great New Privacy Guidance Tools From The EU

Now Available:

Featured Resources:

Do you have any customers in any of the 27 European Union (EU) countries? Do you have any personnel in the EU? COULD YOU have?

Any company sending or receiving personally identifiable information (PII) of a very wide range of possibilities...many more items are considered as PII outside of the U.S. than within the states...to or from other countries must abide by the data protection (read "privacy") laws for those countries. The EU Data Protection Directive (95/46/EC) establishes the minimum PII data protection requirements that ALL companies, any where in the world, must follow to send PII for their citizens over their country borders. Each of the EU countries also have specific data protection laws that may be even more restrictive than the EU Data Protection Directive (95/46/EC).

Can complying with all these rules be complicated? You bet! However, you MUST work toward protecting PII, based upon risk and to meet data protection laws compliance, otherwise you could face hefty fines, face being told to stop doing business in those countries until you get into compliance, or even face law suits.

On July 8 the Article 29 Working Party (the group of data privacy officials from each EU country) issued a very helpful "toolbox" of guidance for organizations and EU data protection authorities (DPAs) to help them use binding corporate rules (BCRs) to try and meet the security, privacy and compliance challenges of sending PII over country borders.

FYI...BCRs were created in 2003 to help organizations that have customers and/or personnel multiple EU countries to send and receive PII across country borders without being in noncompliance of the EU Data Protection Directive (95/46/EC), which REQUIRES that PII can only be transferred across country borders if ADEQUATE (as determined by the Article 29 Working Party) security is in place.

Even if you do not have customers or personnel in the EU, there is some great guidance within these documents.

"Working Document Setting up a framework for the structure of Binding Corporate Rules": WP 154; 11 pages

"Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules": WP153; 11 pages

"Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules": WP 155; 4 pages

Check them out!

Categories

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.

Now Available:

Featured Resources:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert