| Author |
 Topic  |
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1946 Posts
Status: offline |
 Posted - 05/10/2007 : 06:48:39 AM
|
Most of the compliance info that I receive and find seems to be related to US-based companies or UK companies that have a US presence in one way, shape, or form.
Can anyone recommend a good, unbiased source for information on what UK companies need to do to, well, cover their asses? I'm specifically after info on email compliance, data retention and so forth.
|
Tim |
|
|
jadgate
Major Contributor
USA
917 Posts
Status: offline |
Posted - 05/10/2007 : 1:12:14 PM
|
I can't say, but I'd start with a search for EU standards. Britain is part of the EU now and while they have their own governmental requirements, the EU ones are probably going to be more stringent, esp. if they do business in the rest of the EU.
Jim |
James Adgate, CISSP
IT Auditor and Compliance Specialist
Data Loss Prevention (DLP)
IT Security Policy and Risk Mitigation for Enterprises
http://linkedin.com/in/jamesadgatech
|
 |
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
7393 Posts
Status: offline |
Posted - 05/15/2007 : 02:54:56 AM
|
It depends on what industry you're in. If you are American in Europe then you have to comply with SOX and Euro regs. In Europe there are Euro regs, national regs and industrial regulations. So, take for example a finance company in Ireland that is a subsidiary of a traded USA corporation.
- SOX
- IFSRA (Irish finance regs)
- BASEL II (European finance crap that relies on IT)
Finance in ireland have to so all the usual auditing and prevention stuff. Also supposed to keep 7 years of data, incl mail. Where it gets fuzzy for us (and UK form what I understand) is that industrial regulations sometimes directly contradict employee rights. There was a recent case in the European courts for human rights where some Welsh person won a ruling over loss of privacy.
Simple answer is to consult an industrial lawyer and to work with the regulatory bodies that apply to you. Hire people who have experience in compliance for your industry. |
Aidan Finn
MCSE, MVP (Virtual Machine)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
Books: WS2012 Hyper-V Installation & Config Guide, MSFT Private Cloud Computing
Twitter: http://twitter.com/joe_elway |
|
|
|
NFerrar
Seasoned But Casual Onlooker
United Kingdom
71 Posts
Status: offline |
Posted - 05/21/2007 : 05:31:52 AM
|
I'm not sure there are any strict email retention laws in the UK (not sure on the healthcare/government side of things though), just the statute of limitations meaning its prudent to keep them for 7 years. Although without a proper archiving system I'm not even sure how admissable the emails would be as they'd be prone to tampering. As Joe says though there's plenty of law firms out there that provide regulatory type consultancy, best off talking to them.
The Data Protection act is the main confusing bit of legislation but that's mostly around storing information correctly and removing it when it's not required rather than having to keep data for a certain minimum period. |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
7393 Posts
Status: offline |
Posted - 05/21/2007 : 06:37:39 AM
|
There will absolutely be retention laws for various industries. E.G. the finance industry must retain electronic copies of contracts in a certain way. Seeing as UK and Irish regs are pretty similar, I wouldn't be surprised that if Pharms/Banking must also keep mails for 7 years.
There is no substitute for calling in a solicitor or a consultant who specialises in this stuff. We talk a whole load of steam here but there's nothing better than talking to an expert on the subject. After a quick call, you;ll be able to get directors to cough up the dough when you detail potential punichements for THEM if they don't ensure their organisation is compliant.
Retention systems tend to be pretty tight. The Commvault retention system restricts access to retained mails. They have two mail solutions which confuses things. One is an archiving solution for leveraging cheaper storage. The other is a restricted access archive for regulatory compliance. Only people like Auditors and Security would have access. Don't have much more detail on that but it sounds perfect for this sort of requirement.
You get similar sort of restricted access functionality in OM 2007 Audit Collection Services if you want (based on what I saw in beta testing last year). Client security logs are collected and stored in a central database(s) and access is restricted.
You can audit stuff like crazy and store records of change. But in the end, if a director can convince the relevant auditors, security or IT people to make some "tweaks" here and there or to "clean up" *ahem* irrelevant data then they can do a good job at disguising their tracks. IT is fallable, you need to wrap things up in processes and internal regulations. |
Aidan Finn
MCSE, MVP (Virtual Machine)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
Books: WS2012 Hyper-V Installation & Config Guide, MSFT Private Cloud Computing
Twitter: http://twitter.com/joe_elway |
|
|
| |
Topic |
|
UK compliance
