On October 7, 2010, the French Data Protection Authority (the “CNIL”) released its first comprehensive handbook on the security of personal data (the “Guidance”).  The Guidance follows the CNIL’s “10 tips for the security of your information system” issued on October 12, 2009, which were based on the CNIL’s July 21, 1981 recommendations regarding security measures applicable to information systems.

The Guidance reiterates that data controllers have an obligation under French law to take “useful precautions” given the nature of the data and the risks associated with processing the data, to ensure data security and, in particular, prevent any alteration or damage, or access by non-authorized third parties (Article 34 of the French Data Protection Act).  Failure to comply with this requirement is punishable by up to five years imprisonment or a fine of €300,000.

The Guidance provides general recommendations and best practices aimed at assisting data controllers with the implementation of appropriate security measures.  The Guidance is divided into 17 chapters, each dealing with a specific topic about data security, including:

  • Identifying data security risks
  • Authentication of users
  • Educating users on data security risks
  • Security of work stations
  • Security of external devices (e.g. smartphones, laptops, PDAs, flash drives)
  • Backup copies and disaster recovery plans
  • Network maintenance
  • Log files and management of data security breaches
  • Physical security of the premises
  • Security of internal networks
  • Security of servers and software applications
  • Data processors
  • Electronic archiving
  • Disclosure of personal data to third parties
  • Privacy by design
  • Anonymization
  • Encryption

Each chapter provides a summary of the issue, an outline of basic precautions, information on what not to do, and recommendations for going above and beyond. The Guidance also includes a data security evaluation form to help companies assess how well they’re protecting personal data.

For more information, read the CNIL’s Guidance (in French).

Update: On November 4, 2011, the CNIL released the English version of the Guidance.