Data protection - being small won't help
Jinfo Blog

By Tim Buckley Owen

Abstract

Many companies remain remarkably complacent about data protection, with many believing it to be the domain of the boardroom or IT department rather than every employee's responsibility. Individuals are also relaxed about others knowing their personal data. It seems that a cultural shift is needed in terms of privacy risks.

Item

Complacency about sensitive information is putting European companies’ reputation at risk – but then some users seem equally relaxed about taking risks with their own personal data. Culture, not technology, appears to be the issue – so, as the authorities in both Europe and the United Kingdom continue to tighten up on data protection, there’s work for information managers to do.

A mere one percent of mid-sized European businesses consider information risk to be the responsibility of every employee, according to a survey by PricewaterhouseCoopers (PwC) for the information management firm Iron Mountain. Only 13% believe it’s a boardroom issue, compared with a third who think it’s exclusively the responsibility of the IT department – so it’s little wonder that the companies surveyed scored a pathetic 40.6 on average out of a possible 100 on PwC’s Information Risk Maturity Index.

As Iron Mountain indicates, it’s a cultural shift that is needed – not least because users too are becoming less concerned about privacy risks. The latest Adult Media Use and Attitudes report from the UK telecoms regulator Ofcom shows that a quarter of social networkers are relaxed about letting people they don’t know discover their date of birth or home town, and about one in six will share their details with anybody.

Whether people choose to have a care for their own privacy or not, the UK Information Commissioner’s Office (ICO) continues to tighten up on the rules. It recently issued guidance making clear that even people who are simply processing data on behalf of clients may in fact be data controllers themselves – with all the obligations that implies – depending on how much discretion they have over the data’s management.

In further guidance, the ICO has said that data controllers should be able to search both their live and archived records if someone wants to see what information the organisation holds about them. The argument that such a search would involve “disproportionate effort” is unlikely to impress, it warns.

Meanwhile across the Channel, the European watchdog the Article 29 Working Party has expressed some “disappointment” with the proposed new European data protection law. It disapproves of having a separate Directive for police and criminal justice, picks holes in proposals for a “right to be forgotten” and calls for a “one stop shop” for data subjects to visit.

What’s more, it doesn’t like the idea of small and medium sized enterprises being let off the hook. Data subjects should have the same level of protection regardless of who’s processing their data, it says.

So data protection isn’t going to go away. It will continue to affect businesses at every level – and, as so often seems to be the case, technological fixes are only part of it.

« Blog