Resources

Going beyond minimal compliance

The digital revolution has spawned increasingly chaotic networks of computer systems. Most organisations are the result of many decades of investment, growth, merger and acquisition resulting in a patchwork of legacy information systems. As organisations seize on new developments such as cloud computing, softwareas- a-service and other managed services, system boundaries will inevitably become more and more fuzzy. This rapid and ungoverned expansion is typical of organisations jostling to churn out new services in a competitive market.

Many of these organisations depend entirely on these sprawling networks to collect and process enormous quantities of personal and other sensitive data. This data is often essential to the successful delivery of services to citizens and customers. The recent strengthening of powers of the Information Commissioner, including a hundredfold increase in the fine for serious breaches of the Data Protection Act (1998) to a new maximum of
£500,000.00, makes it essential for organisations to manage personal data effectively and efficiently.

However, recent examples of accidental loss and deliberate theft of personal data from government institutions and large commercial organisations in the UK demonstrate a lack of awareness of the impact of compliance on their reputations and the value placed on such data by criminals.

Despite the risks, some organisations are burying their heads in the sand when it comes to achieving data protection compliance. When they wrongly believe a significant data loss could never happen to them, it should come as no surprise that risk and compliance managers struggle to justify additional investment in data protection — particularly in today’s challenging economic climate. However, against a new generation of dynamic, hardto-
predict threats from organised criminal groups, maliciously entrepreneurial insiders or simple human error, organisations which take the path of minimal compliance place themselves at greater risk of failing to adequately protect their data. They are also the most unlikely to have people with the experience and depth of understanding needed to sort the resulting problems out quickly and efficiently.

It will take a major security incident or a serious breach of the Act for an organisation to appreciate the true nature of the problem they face – and by this time, of course, it is too late. Not only will they have to accept potentially significant damage to their reputation — and the knock-on impact of customer churn, revenue loss and declining profit — but they will also have to carry out costly remedial action, cope with a heavy fine from the Information Commissioner’s Office (ICO) and potentially face criminal proceedings.

Patchwork approaches to data governance create additional complexity. Databases can be installed in isolation, applications are created locally and the same data is often found to be copied many times across an enterprise. IT staff and system users, who have grown up with the wild frontier of the Internet – and the apparent acceptability of sharing personal information via social networking, blogging and online gaming sites – find it difficult to cross the cultural divide into a suitably rigorous personal data handling environment. Against this complex IT and behavioural landscape, assessing compliance against data protection principles is hard enough. Ensuring they are adhered to for all instances of personal data held or processed is a daunting undertaking.

To read more please download PDF

Back to resources