SAI Global GRC Community

Building Organizational Integrity.
Blogs >> Privacy & Data Protection

Privacy & Data Protection

“It's been a long, a long time coming

But I know a change is gonna come” (Sam Cooke)

After two years’ painful gestation, EU legislators hope to gain European Parliament approval this year, for a new regulation aimed at safeguarding personal data. For many EU citizens however, these changes can’t come quickly enough.


Data Privacy Day is celebrated on Jan 28 every year.  Why not take this opportunity to strengthen your Data Privacy and Data Protection program?  Here are some program elements to consider:


Just over a week ago, the professional social networking site LinkedIn was hacked and nearly 6.5 million passwords posted online. The specifics of the hack haven’t been disclosed, however, it has come to light that the company did not employ a CIO or CISO at the time of the data breach. This fact is circumstantial as there are steps that anyone can take to ensure better information security, especially when it comes to educating employees about their responsibilities to protect data. Most security professionals will agree that the first line of defence is always human. Therefore, it is worthwhile for companies to have in place some form of training to reduce the chances of data breaches occurring due to human error.


Last week, LinkedIn suffered a data breach when approximately 6.5 million users’ passwords were stolen and posted on the internet. While attacks like this are becoming more common, what surprised most experts was the lack of sophisticated encryption being used by LinkedIn. The passwords were only protected by the most basic form of encryption, giving many the impression LinkedIn was not taking data security seriously.


The Information Commissioner’s Office in the UK has had a prolific run over the past 18 months, levying fines for data protection breaches with increasing regularity.  The common theme in every case has been human error – sometimes based on just one mistake resulting in a compromise of information security or the personal data of an individual data subject.


We recently looked at the leaked proposals for reforming the EU Data Protection Directive. Naturally, the ensuing headlines focused on the developments which reinforce Europe's reputation for taking a hard line on privacy: heavy fines, mandatory application, and stringent obligations.


But let's take a look at some of the key developments and whether they are quite as alarming as they look.


As we saw in my last post, the proposed EU data protection Regulation will apply more extensively than the existing directive. In this post, I will pull out some of the new and expanded requirements for data controllers, look at how international data transfers are likely to be governed, and indicate what consequences might arise for breaches of the Regulation.

New Principles and Obligations

  • Data controllers must have "transparent and easily accessible" data processing policies – which probably excludes size 6 font 40-page Terms of Service that lurk in the recesses of a website.

The European Commission (EC) has released its hotly-anticipated proposals for reforming EU data protection law, cementing EC vice president Viviane Reding's increasingly tough statements on privacy. Many items in the proposals come as no surprise, but there are also many points which bear close consideration.
Whilst it remains to be seen whether all of the proposals are passed by the European Parliament and the Council, it is very likely that – whatever form it eventually takes – new European laws will be tougher than the current directive.

A Regulation, not a Directive
The most obvious change is to the type of instrument, from a Directive to a Regulation. This means that the law will automatically apply across all 27 Member States, thereby removing the requirement that countries pass implementing legislation.

One problem with the Directive is that it merely sets a baseline for what countries enact. Various scenarios can then follow –


The recent arrival of "cloud" technology is another example of data privacy, economic opportunity, and jurisdictional conflict. For the unfamiliar, cloud technology allows a user to abandon the constraints of traditional computing by hosting data and applications on the web. Perhaps the best example of its potential is Apple’s iCloud, a "computer in the sky" that serves as a repository for and allows users to access data (apps, music, media, documents, etc.) from devices with a web capability. While this innovation will undoubtedly change the way individuals compute, one downside is the unknown risk presented by moving data away from a secure, local site to an offsite server.


On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

Nevada’s law requires "data collectors," including government agencies and businesses, that accept payment cards and are "doing business" in Nevada to comply with the Payment Card Industry Data Security Standard ("PCI DSS"). Nevada now becomes the only state to require compliance with PCI DSS in its entirety.


© 2015 SAI Global Limited ABN 67 050 611 642




User Registration
or Cancel