As a follow-up to my blog posting yesterday, I wanted to point out that the European Union (EU) Data Protection Authorities (DPAs) have been very active in pursuing data protection law compliance.
While the DPAs do investigate organizations according to complaints received, as is the practice in most countries, especially in the U.S., the EU DPAs are also actively auditing organizations for compliance based upon industry. Earlier this year they worked together to audit businesses within the health insurance industry.
This was not just two or three country DPAs working together; the health insurance company audits were carried out by the DPAs of: Austria, Belgium, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Slovenia, the Slovak Republic, Spain, Sweden, and the United Kingdom.
This is the first time that the EU DPAs have joined forces for data protection law compliance audits. It will not be their last. They indicate they will use six criteria to determine these collaborative compliance audits for more industries.
The report points out the need for information security measures to be in place, along with data retention requirements to be in compliance with data protection (privacy) laws.
Interestingly, they also indicated,
“In a similar vein, we should also consider the possibility of future collaboration between WP29 and other international entities or organisations with privacy enforcement abilities and the ability to cooperate internationally (FTC, OECD, APEC, etc.) and in this way, contribute to a global improvement in data protection.”
So there clearly is a trend to try and have global compliance efforts pursued through cooperation with each country’s oversight authorities.
One more incentive for multinational companies to know and understand all their data protection and privacy requirements wherever they have offices, employees and customers, and then act to be in compliance with the requirements.
Tags: Article 29 Working Party, awareness and training, data protection law, EU Data Protection Directive, European Union, Information Security, IT compliance, policies and procedures, privacy, privacy law, risk management