Townsend Security Data Privacy Blog

Basics of the EU Data Protection Working Party

Posted by Michelle Larson on Mar 26, 2015 1:19:00 PM

Article 29 Security Guidelines on Data Protection



The Article 29 Working Party is composed of representatives of the national data protection authorities (DPA), the European Data Protection Supervisor (EDPS), and the European Commission. It is a very important platform for cooperation, and its main tasks are to:

  1. Provide expert advice from the national level to the European Commission on data protection matters.
  2. Promote the uniform application of Directive 95/46 in all Member States of the EU, as well as in Norway, Liechtenstein and Iceland.
  3. Advise the Commission on any European Community law (so called first pillar), that affects the right to protection of personal data.


Download the EU Data Privacy White Paper

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure personal data enjoys a high standard of protection everywhere in the EU. The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of sensitive data when it is exported abroad.

In order to help address these EU objectives, Patrick Townsend, Founder and CEO of Townsend Security recommends the following data protection best practices:

  • Encrypt Data at Rest
    Make a full inventory of all sensitive personal information that you collect and store. Use strong encryption to protect this data on servers, PCs, laptops, tablets, mobile devices, and on backups.
  • Use Industry Standard Encryption
    Advanced Encryption Standard (AES, also known as Rijndael) is recognized world-wide as the leading standard for data encryption.
  • Use Strong Encryption Keys
    Always use cryptographically secure 128-bit or 256- bit AES encryption keys and never use passwords as encryption keys or the basis for creating encryption keys.
  • Protect Encryption Keys from Loss
    Encryption keys must be stored away from the data they protect.  Keys must be securely managed and should be compliant with the industry standards such as NIST FIPS 140-2 which is recognized and accepted worldwide.
  • Change Encryption Keys Regularly
    Change your encryption keys on a quarterly or semi-annual basis. Using one encryption key for a long period of time can expose you to a breach notification for historical data.
  • Use Strong, Industry Standard Hash Algorithms
    Never use MD5 or other weaker hash methods. Use the SHA-256 or SHA-512 methods for your hash requirements.
  • Use Keys or Salt with Your Hashes
    You can use the Hashed Message Authentication Code (HMAC) method with an encryption key or use a strong encryption key under the protection of a key manager as the salt for the hash method.

For more detailed information on these recommendations, download the white paper on the "EU Data Privacy Protections and Encryption":

Click to Request the EU Data Privacy White Paper

Topics: Compliance, Data Security, EU Data Privacy Protection, Encryption Key Management, Defense-in-Depth, White Paper