New data protection laws

Dave ClarkeOur mountains of business data seem to swell with geometric rates and for most of us that information contains personal information about our customers.

This means our responsibilities and obligations to protect that information as covered in the Data Protection Act become ever more important.

As well as legal powers to ensure that organisations comply with the requirements of the Data Protection Act, from April 6th 2010 the Information Commissioner's Office will have new powers to issue monetary penalties.

Organisations could face fines of up to £500,000 for serious breaches of the Data Protection Act.

The majority of businesses I have worked with take the issue of Data Protection seriously. Often, however, their Data Protection policies lack full coherence and do not fully cover the eight principles on which the Data Protection Act is based.

An example of this is a familiar story whereby I visited a business to provide consultancy surrounding their Data Protection Policy.

I was taken to a small computer room and proudly shown a new firewall and network protection appliance that had cost a few thousand pounds and was indeed a great piece of hardware to protect their infrastructure.

During my visit I saw staff coming and going with laptops and questioned what information was stored on those laptops only to find out that data contained customer personal details – and was therefore covered under the Data Protection Act – was being stored and taken off-site.

This information was being stored without encryption and could easily have been read by a third party if the laptop had been stolen.

A quick look at the Information Commissioner's Office website reveals that many of the enforcement notices given to businesses large and small surround data being taken off-site in this way via laptop, optical disk media or USB storage devices.

There are many ways to provide total data security with all the technology available today without huge capital expenditure. The many services provided by using cloud computing enhance these options further.

However it's also very important to make sure that your staff are aware of their obligations and for any business to review their Data Protection Policy as a whole including the handling of data electronically or on paper.

Dave Clarke, Love I.T