White paper
Data Confidential:
Keeping private information safe
Data confidential: Keeping private information safe
Executive Summary
Data protection is an issue that concerns everyone, whether as a consumer, an employee or
company director. Getting it right is important.
Breaches can lead to a serious loss of customer confidence. In some cases, such loss can also lead
to legal consequences or can bring down the entire business.
Data protection laws are similar across Europe. Most countries in the continent have instituted
a data protection authority with powers to oversee the application of the law and enforce its
legislation, as well as to penalise compliance failures. They also mandate the appointment of a data
controller, whose task is to ensure legal compliance, buttressed by the possibility of legal action in
the case of failure.
Technology exists such as Secure Sockets Layer (SSL) encryption, that can help to ensure that
personal data remains accessible only by authorised individuals, although processes need to be
in place to ensure that only the right amount of data is collected from individuals, and the data is
destroyed when no longer needed.
This white paper looks in more depth at data protection trends in Europe, and at SSL security
technology, its application, certificates and certificate management.
2
Data confidential: Keeping private information safe
What is personal data?
•
Any factual information relating to a living person that can identify them, either directly or
indirectly, counts as personal data.
•
Anonymised data can become personal when combined with other information: for example,
names, addresses and credit card numbers, even purchasing preferences or holiday destinations
or the value of a car.
•
Some countries define a special level of personal data, including details of a person’s health,
sexual life and religious or political beliefs, for example.
•
There is a risk of collecting unrequested personal data via the web, perhaps via an open text
field on a web form.
•
In some countries, personal data may be recorded or collected only with express written
permission.
3
Data confidential: Keeping private information safe
The data controller’s role
Lawfully, the data controller is the individual in charge of ensuring the safety of personal data for
a particular organisation. In most countries, anyone handling personal data must take appropriate
measures -- whether technical or organisational -- against unauthorised or unlawful processing of
personal data and against accidental loss, destruction of, or damage to it.
A data controller must register with the
data protection authority in their country,
provide a general description of their
organisation’s data protection measures,
and inform the authority if those
measures change.
UK
Core
legislation
Data Protection Act 1998
Legal
obligations
• Process personal data fairly and lawfully,
usually only with consent
• Obtain and process the data for specified
and lawful purposes only
• Not to obtain unnecessary, excessive or
irrelevant personal data
• Keep personal data accurate and up to
date, and for no longer than necessary
• Take appropriate measures to prevent
unlawful use, or accidental loss, of the
data
• Avoid transfer of the data to countries with
inadequate data protection standards
Special
personal data,
eg health,
sexual life
and religious/
political
beliefs
Should only be processed under certain
strict conditions
Data
protection
authority
Information Commissioner
Data controllers should undertake
risk assessments when deciding what
measures are appropriate for their own
organisation, taking into account the cost
of implementation and the current state
of technological development.
The principles of data protection and
legal responsibility also apply to third
parties. If the third-party host for your
company’s website also processes
company data, that party must provide
guarantees of the measures they will
take to ensure compliance. While your
contracts with them should specify their
obligations, you must remain vigilant in
monitoring compliance.
4
Data confidential: Keeping private information safe
Consequences of non-compliance
Failure to comply with data protection legislation can lead to severe penalties, not just from the
legal authorities but also from customers and suppliers.
Legal liability may fall on the data controller if he or she has failed to take appropriate data
protection measures, as defined above, and a data breach occurs.
In the event of a breach, the data protection authority may ask an organisation’s data controller for
more information, as well as investigating using other sources, in order to determine if the law has
been broken.
If appropriate, the authority will then issue an edict detailing the steps needed to rectify any breach
that has been identified. Should the organisation’s data controller fail to respond to either notice,
the controller or the organisation could be committing a criminal offence and face a fine.
This fine could be unlimited, depending on the seriousness of the breach, and you may face a
prohibition on data processing if you fail to remedy the situation within a reasonable time. Breaches
deemed to be wilful or deliberate, especially for financial gain, could result in prison sentences.
On top of the legal consequences, organisations in breach are likely to suffer loss of reputation.
Experience shows that customers abandon organisations which they feel are not taking data
protection seriously. In the long run, this may be more serious a consequence than a fine.
Individuals may also sue your organisation directly for any loss or distress caused to them as a
result of the breach.
France
Core
legislation
Law Nr. 2004-801
Legal
obligations
• Data must be obtained and processed fairly and lawfully
• Data should be obtained and processed only according to a specified, explicit end
purpose
• Data should be relevant and not excessive in relation to the purpose for which
they were obtained
• Data must not be kept for longer than is justified to achieve that purpose
• Data must be kept accurate and complete
• Data may only be processed with the subject’s consent, or where it is necessary
to fulfil a legal or public service obligation
Special
personal data,
eg health,
sexual life
and religious/
political
beliefs
Should only be recorded or collected with express written permission
Data
protection
authority
Commission National de l’Information et des Libertés
5
Data confidential: Keeping private information safe
Best data security practices
Across Europe, most countries’ data protection agencies do not prescribe specific measures
that organisations should adopt as best practice. This makes sense, given the wide range of
circumstances in which those organisations are operating and the pace of technological change.
Instead, the agencies urge organisations to assess for themselves the appropriate level of security
to protect their customers’ personal data. However, they suggest appropriate benchmarks to help
organisations maintain their competitive advantage in the eyes of customers and partners.
Best practices are usually derived from and developed by specific industry sectors across Europe,
although certain commonalities do emerge. For example, the most widely used method of securing
data online is Secure Sockets Layer (SSL) encryption. As an industry standard, it should form a
fundamental part of any organisation’s online data protection strategy.
SSL is a security protocol that creates a unique encrypted channel to keep data private while being
transmitted online. Each SSL certificate consists of a public key that encrypts information and a
private key that deciphers it. The information is scrambled in transit, so only the intended recipient
can decode it.
SSL certificates are available at up
to 256 bits; the larger the number
of bits in the key, the stronger the
encryption. At current computing
speeds, a motivated and resourceful
hacker would require a trillion years
to break into a session with 128-bit
encryption. When a user enters their
data into a website protected by an
SSL certificate, they can do so with a
high degree of confidence.
On its own, SSL encryption cannot
guarantee compliance with data
protection legislation, but it is a
proven method of reducing the risk
of a breach and strengthening the
organisation’s overall security.
Netherlands
Core legislation
Wet bescherming persoonsgegevens (Wbp)
Legal obligations
• Processing data in a proper and careful
manner
• Collecting data for specific, explicitly
defined, and legitimate purposes only, with
consent, or where it is necessary to fulfil a
legal obligation
• Keeping data for no longer than necessary,
and ensuring they are correct and accurate
• Only processing data that are adequate,
relevant and not excessive with respect to
the purpose of their collection
Special personal
data, eg health,
sexual life and
religious/political
beliefs
Should not be processed unless it falls
within certain legal exemptions
Data protection
authority
College bescherming persoonsgegevens
6
Data confidential: Keeping private information safe
How SSL encryption strengthens data security
As hackers become more sophisticated at intercepting personal data and the public become
ever more wary of online fraud, your organisation cannot afford to stand still. When conducting
regular reviews of the adequacy of your current measures, you may wish to consider whether
you need more sophisticated protection. For example, if the type of data you collect has become
more sensitive, you may need stronger encryption. If industry standards are changing, it may be
necessary to update your certificates to reflect current practices.
You may also need to counter new hacking techniques that can hijack HTTP sessions and capture
user login data over open Wi-Fi connections. In light of this and other threats, login details should
be kept as secure as other personal data, and organisations should consider implementing SSL
across their whole site, not just on secure pages.
A further issue to consider is whether your SSL certificates are up-to-date. This situation needs
to be monitored, as an out-of-date certificate could leave you and your customers dangerously
exposed. It could also bring down your e-commerce website, leading to lost sales while IT tracks
down the problem.
The following five steps will help an IT administrator gain control over all SSL certificates within the
enterprise:
1.
2.
3.
4.
5.
Perform an audit of all domains and certificates
Consolidate all certificates into a managed account
Define an administrative process for your organisation
Set up alerts, run regular reports on available units and renewals
Revoke and replace certificates as needed
You may need to notify the data protection authorities about any changes to security measures.
Germany
Core legislation
Bundesdatenschutzgesetz (BDSG)
Legal obligations
Safeguards must:
• Prevent unauthorised access to and use of your data processing systems
• Ensure that persons authorised to use your data processing systems can only access
such data as they are authorised to, and prevent any unauthorised reading, copying,
modification or removal of personal data, and that it is possible to verify the recipients
• Ensure that you know who has input or modified personal data
• Ensure that any outsourced processing of personal data is conducted in compliance with
your instructions and the law
• Ensure that personal data are protected against accidental destruction or loss
• Ensure that data collected for different purposes can be processed separately
Special personal data,
eg health, sexual life
and religious/political
beliefs
May not be processed for commercial purposes without the subject’s consent, unless a
legal exemption applies
Data protection
authority
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
7
Data confidential: Keeping private information safe
Conclusion
Data protection legislation is here to stay across Europe, and we all benefit, whether as consumers
or as employees of organisations with public-facing websites. As well as protecting our own personal
information, it helps to ensure that organisations take the retention of our personal information
seriously. It boosts confidence in online transactions generally, and it creates a level playing field
across the online transaction industry.
A core tenet of that legislation is that data shall not be visible to unauthorised individuals. There
is a range of security processes that can help ensure this goal is met, but it needs the right
technology as its foundation. That technology -- SSL encryption -- is robust and, when used as
the underpinnings of a properly thought-through security strategy and combined with certificate
management, can offer the best guarantee available that data relating to individuals will be
protected.
More information
Visit our website
www.verisign.co.uk
To speak with a product specialist
Call 0800 032 2101 or +44 (0) 208 6000 740
About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to
help consumers and organisations secure and manage their information-driven world. Our software
and services protect against more risks at more points, more completely and efficiently, enabling
confidence wherever information is used or stored.
Symantec World Headquarters
350 Brook Drive, GreenPark
Reading, Berkshire
RG2 6UH, United Kingdom
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and VeriSign Authentication are trademarks or
registered trademarks of Symantec.
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
8
Data confidential: Keeping private information safe
APPENDIX: Country-specific data comparison
UK
France
Netherlands
Germany
Core
legislation
Data Protection Act
1998
Law Nr. 2004-801
Wet bescherming
persoonsgegevens
(Wbp)
Bundesdatenschutzgesetz
(BDSG)
Legal
obligations
• Process personal
data fairly and
lawfully, usually
only with consent
• Obtain and
process the data
for specified and
lawful purposes
only
• Not to obtain
unnecessary,
excessive or
irrelevant personal
data
• Keep personal
data accurate and
up to date, and
for no longer than
necessary
• Take appropriate
measures to
prevent unlawful
use, or accidental
loss, of the data
• Avoid transfer
of the data to
countries with
inadequate
data protection
standards
• Data must be
obtained and
processed fairly
and lawfully
• Data should be
obtained and
processed only
according to a
specified, explicit
end purpose
• Data should be
relevant and
not excessive in
relation to the
purpose for which
they were obtained
• Data must not be
kept for longer
than is justified
to achieve that
purpose
• Data must be
kept accurate and
complete
• Data may only be
processed with the
subject’s consent,
or where it is
necessary to fulfil
a legal or public
service obligation
• Processing data
in a proper and
careful manner
• Collecting data
for specific,
explicitly defined,
and legitimate
purposes only, with
consent, or where
it is necessary
to fulfil a legal
obligation
• Keeping data for
no longer than
necessary, and
ensuring they
are correct and
accurate
• Only processing
data that are
adequate, relevant
and not excessive
with respect to the
purpose of their
collection
Safeguards must:
• Prevent unauthorised
access to and use of
your data processing
systems
• Ensure that persons
authorised to use
your data processing
systems can only access
such data as they are
authorised to, and
prevent any unauthorised
reading, copying,
modification or removal
of personal data, and
that it is possible to
verify the recipients
• Ensure that you know
who has input or
modified personal data
• Ensure that any
outsourced processing
of personal data is
conducted in compliance
with your instructions
and the law
• Ensure that personal
data are protected
against accidental
destruction or loss
• Ensure that data
collected for different
purposes can be
processed separately
Special
personal data,
eg health,
sexual life
and religious/
political
beliefs
Should only be
processed under
certain strict
conditions
Should only
be recorded or
collected with
express written
permission
Should not be
processed unless it
falls within certain
legal exemptions
May not be processed
for commercial purposes
without the subject’s
consent, unless a legal
exemption applies
Data
protection
authority
Information
Commissioner
Commission
National de
l’Information et des
Libertés
College
bescherming
persoonsgegevens
Der Bundesbeauftragte für
den Datenschutz und die
Informationsfreiheit
9