The EU Data Retention Directive 2006/24/EC is currently in its implementation phase. This means that at member state level each EU country should have their own version of the “data retention” directive embodied and incorporated into their national laws. For example the UK version is effect since 6th April 2009.
The data retention regulations will impact public communication providers (fixed, mobile telecoms, ISPs) that have communications data generated or processed on their networks or from using the services they provide.
The regulations require traffic, location and subscriber data to be retained for a minimum of 6 months up to 4 years (i.e. in UK the local law requires 12 month) – so called storage of call detail records (CDRs) and transaction data (IPDRs).
The regulations also outline four data security principles that should apply to retained data:
- data must have the same security levels when retained and must remain the same quality
- technical and organisational measures must be in place to protect against accidental or unlawful disclosure, access, alteration and loss
- retained data must only be able to be accessed by authorised persons
- all data retained must be destroyed at the end of the retention period.
When data is requested by law enforcement the data must be able to be found and transmitted "without undue delay".
Associated to the data retention regulations there is the EU parliament and council review of the E-Privacy Directive 2002/58/EC, which is likely to create a breach notice regime, which also apply only to eCommunication providers (Telco, ISP, Mobile, Cable). Both regulations are interlinked.
What does this all mean if you are a public communciation provider?
- Data Retention Directive: Telco’s, ISP, Mobile and Cable providers have to retain the communications data for a year (UK) to allow requested access to the data for investigation purposes.
- E-Privacy Directive: If passed, mandatory data breach notification will be required of all Telco’s, ISP, Mobile and Cable providers if the data retained under the Data Retention Directive is lost.
- You are faced with challenges to harmonize your data centre complexity with hundreds of storage devices and pentabytes of data.
- This new data volume increases the enormity of your IT infrastructure and makes your business more vulnerable to the risks involved.
The adoption of the EU Data Retention Directive 2006/24/EC and the E-Privacy Directive 2002/58/EC has a direct implication for your IT and security infrastructure and processes.
Like all other Internet, Telecommunication, Cable and Mobile Service Providers you will be mandated to retain communications data for at least a year to allow requested access to the data for investigation purposes.
The retained data will also need to be protected with an appropriate level of security measures to prevent data breach and data loss as well as misuse of the retained data.
With these new directives in place, data volumes will increase across your IT infrastructure, and can make your business more vulnerable to the information risks involved.
Symantec can help you to manage the complexity of your data retention initiatives, as well as other regulations and internal mandates. With Symantec software and services, you can secure and manage your information-driven enterprise against more risks at more points while reducing your information costs.
Please visit http://www.symantec.co.uk/dataretention to find out more.
We help you ensure that
can be protected completely and managed easily with automated control – wherever information is used, stored or communicated. Please dont hesitate to contact me directly for any further question.