On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data. The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room. The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing, in particular focusing on the prevention of data breaches.
For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison. ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area. See, for example, ENISA’s 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations – Guidelines and Case Studies." However, the CNIL’s recommendations may only be a first step, and it will be interesting to see whether the CNIL’s guidance evolves as concern about data breaches continues to grow.