|
Strengthened Data Protection Act may force significant business change
|
22/02/2008
|
| |
There has been little improvement in the way organisations manage personal data, despite the infamous Data Protection Act being now a decade old.
That’s the finding of IT compliance consultancy Global Secure Solutions, which asserts that the relatively toothless nature of the legislation means that companies are paying it lip service.
Says Pauline Brace, GSS principal security consultant: “We’re in pretty much the same situation as when the Data Protection Act was introduced. Large organisations with the most to lose, such as government agencies, insurance and financial institutions, have done more work, but SMEs have a long way to go.
“Yes they may have notified the information commissioner that they’re processing personal data and, yes, they may have addressed the way they collect data, with the tick box opt-in, opt-out stuff. But there are still the same types of exposures around data security – not necessarily on the high tech side, but in the way that information is accessed and used.”
Brace suggests that companies are failing to address internal security administration and, more importantly, failing to build secure contracts with suppliers – trusting untrained individuals with sensitive data, even exposing whole databases.
“Long before now, companies should have had robust regulatory frameworks embedded in all areas that have a role to play. Project managers should be engaging the expertise needed to do privacy impact assessments – but frankly, it’s expensive and the expertise is in short supply,” she says.
“It’s not a very pretty picture. The recent major government security breaches aren’t new, but the security industry isn’t getting very far because of these cost implications and the fact that breaches don’t attract much of a penalty.”
Brace believes that will change when the information commissioner is granted powers to go in and audit companies without consent.
“The commissioner is also seeking powers for imprisonment – so touching the body corporate and individuals responsible for data disclosures,” she warns. “The House of Lords recommended that the UK go ahead and implement this in advance of the EU last November, but that was rejected in favour of waiting for the EU. But this will come.”
Before it does, companies need to get a much clearer strategy and much better systems in place.
|
| |
Author
Brian Tinham
|
| |
| Email this article |
| |
|
|
|
|