Main Regulations Affecting Information Security - United Kingdom

GLOBAL: universal regulations or standards, applicable to entities worldwide.

Who's impacted: entities to which the standards or regulations apply.

Global GLOBAL 
Risk ManagementWho's impacted?

Basel II

The aim of this regulation is to better align bank capital requirements with underlying risks. Banks are required to monitor, mitigate and disclose risk.

http://www.bis.org/publ/bcbsca.htm

  • Global financial services organizations
  • International banks with assets greater than $250 billion or foreign exposures greater than $10 billion.

Payment Card Industry (PCI) Data Security Standard

The aim of this standard is to provide a single set of security requirements to be used by all payment organizations. Merchants and service providers should use the standard to assess their security status.

https://www.pcisecuritystandards.org/

  • All members, merchants, and service providers that store, process, or transmit cardholder data.

 

UK UNITED KINGDOM
Corporate GovernanceWho's impacted?

The Turnbull Guidance 1999

The aim of this regulation is to encourage companies to identify and manage internal and external risk within their organizations.

http://www.frc.org.uk/corporate/internalcontrol.cfm

  • All companies listed on the UK Stock Exchange.

The Companies Act 1985 Regulations 2005

These regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company.

http://www.opsi.gov.uk/SI/si2005/20051011.htm

  • Expanded directors' report: large companies
  • Operating and Financial Review (OFR): UK quoted companies.

The Companies Act 2004

This act aims to improve the reliability of financial reporting and the independence of auditors. It emphasizes the role of the Financial Reporting Review Panel (FRRP) in enforcing good accounting and reporting.

http://www.opsi.gov.uk/ACTS/acts2004/20040027.htm

  • All companies audited in the UK and their directors.

Money Laundering Regulations 2003 (MLR)

These regulations require businesses to appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and securely maintain records of client identification and transactions for five years.

http://www.opsi.gov.uk/si/si2003/20033075.htm

  • Financial services institutions and financial services professionals
  • Relevant industries such as Estate Agencies
  • Entities dealing in goods involving transactions of more than €15,000.
Privacy

UK Data Protection Act

This act legally binds any entity processing personal data to establish good practice in managing and using the data. All entities must comply with eight enforceable principles of good information handling practice. The principles also require entities to prevent unauthorized or unlawful processing of data, and accidental loss or damage to data.

http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm

  • Any organization collecting personal data.

The Freedom of Information Act 2000 - UK

This act states that public authority information cannot be altered, defaced, corrupted or destroyed. Public authorities need to ensure uptime of systems holding the information.

http://www.opsi.gov.uk/ACTS/acts2000/20000036.htm

  • This act gives the general public access to information held by public authorities.

 

EU EUROPEAN UNION
PrivacyWho's impacted?

EU Data Protection Directive (EU DPD)

This directive covers the processing of personal data, including automatically-processed data and manual data in a filing system. Organizations must implement appropriate measures to protect personal data against unauthorized access, accidental or unlawful destruction, accidental loss, alteration or unauthorized disclosure.

The US Safe Harbor Arrangement is a streamlined process for US companies to comply with the Directive.

http://www.cdt.org/privacy/eudirective/EU_Directive_.html

  • Directive applies to member countries and other countries that do business with them.

EC Privacy and Electronic Communication Regulations
(EC Directive) - 2003

This directive protects the public from electronic marketing practices that cause nuisance, offence and invasion of privacy. It calls for secure measures to be put in place to ensure that electronic marketing records are both available and correct. Electronic service providers are required to maintain system and network uptime as well as implement security measures to protect customer data.

http://europa.eu.int/comm/justice_home/fsj/privacy/law/index_en.htm

  • Organizations that use email marketing
  • Telecom companies and ISPs must implement additional security technologies and practices to safeguard their services.
Information Integrity

EU Annex 11, Computerized Systems

The main aim of this regulation is to ensure that "records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process".

http://www.labcompliance.com/documents/europe/h-213-eu-gmp-annex11.pdf

  • Pharmaceutical manufacturers using computerized systems.

 

Retour vers le haut

Logo partenaires MS