The French data protection authority, the CNIL, recently published a translated version of its Guide on Personal Data Security.
The Guide is designed to help data controllers meet their obligations under French law regarding the security of the personal data they collect, use and maintain.
The French Data Protection Act N°78-17 of January 6,1978, requires data controllers to take “all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties” (Art. 34 of the Act). Failure to guarantee the security of the data is punished by five years’ imprisonment and a €300,000 fine (Article 226-17-1 of the Penal Code).
This Guide should be of interest not only to controllers established in France but more generally, to any entity that directly or indirectly uses IT systems in France.
CNIL emphasizes that threats to systems and information networks are today numerous: computer fraud, fraudulent data collection, data loss, vandalism, disasters such as fires or floods, dissemination of confidential information, identity theft etc…and urges data controllers to take them seriously.
This document comprises 17 factsheets, each focused on a specific data security issue, such as for example:
– users authentication;
Each factsheet includes an overview of the issue, security do’s and don’ts, as well as guidelines and recommendations for improvement.
With the useful checklist attached at the end of the document, data controllers can assess the level of the security measures already in place in their organization and identify which measures should be taken to improve the protection of personal data.
The English translation of the guide Sécurité des données personnelles published in French in 2010 was motivated by frequent requests received from non French-speaking readers.
It is the first guide translated by the CNIL into English. According to the CNIL “This is both a clear sign of our significant investment in IT security and of our commitment to advance the protection of personal data in a globalized international environment”.
The English translation of the Guide is available online here.