As Sony receives a fine from the Information Commissioner’s Office (ICO) for a “serious” data protection breach, IT Governance, the global leader in IT governance, risk management and compliance expertise, hails European Privacy Day
as an apt reminder of the need to protect our personal and customer data.
European Privacy Day 2013, which coincides with worldwide Privacy Day on 28 January, recognises the importance of privacy for our human values and fundamental freedoms. A platform that gives visibility to Europe-wide events organised by governmental and other institutions and civil society, it aims to draw the attention of individuals and businesses to the value that privacy and data protection have in our societies.
Alan Calder, CEO of IT Governance
, says that this annual occasion is an essential reminder that data protection should not be feared, but rather be seen as a positive force for good.
Calder says: “Failure by businesses to protect their personal and customer data can have a dramatic impact. However, it’s also important to remember that data protection is good business practice and helps businesses to be operated securely and successfully. Being seen to look after your customers’ data properly is a prerequisite for a healthy, long-term business, as it is an enabler of customer trust and loyalty.
“The many media reports of data breaches and cyberattacks over the past year have demonstrated what can go wrong when people’s private information is poorly protected. They also underline why it is essential for all UK organisations that hold or process personal data to comply with the Data Protection Act (DPA).”
According to IT Governance, at an absolute minimum, organisations should carry out a DPA compliance audit
, to establish what work is necessary and the associated lines of responsibility, as well as executing a risk assessment around the storage and processing of personal data.
Calder says: “Good information governance is not only based on corporate awareness of and adherence to the requirements of data protection legislation. It’s also about consistent and systematic staff training, as employees are typically the weakest link in any compliance regime. Each member of the team must understand their own responsibilities, and how those responsibilities fit into their organisation’s overall drive to comply with data protection legislation.”
In addition, European Privacy Day 2013 flags upcoming changes in EU data protection legislation. These are likely to have a considerable impact on how local and international businesses operate in the UK in future.
Calder says: “In January 2012, the EU article 29 working party proposed a comprehensive reform of the EU’s 1995 data protection rules, with the intention of strengthening online privacy rights and boosting Europe’s digital economy, as well as the aim of creating a single law for all 27 EU Member States. The proposed General Data Protection Regulation is currently under consultation with national authorities, with a finalised version likely in 2014.
“So far, responses from the ICO, which is the UK’s independent authority set up to uphold information rights in the public interest, have been mixed. While, for example, breach notification has been ‘welcomed’, the right to be forgotten has been deemed ‘unrealistic’.”
If the proposals for the new European Data Protection Regulation are enacted, businesses in all EU member states will be obliged to notify EU data protection authorities, as well as the individuals whose data are concerned, of any breaches of data protection regulations or data leaks without undue delay - that is, within 24 hours. In addition, it is proposed that national authorities are able to impose penalties of up to 2% of a company’s worldwide turnover, in the event of severe data protection breaches.
Calder says: “One of the best ways to ensure that you comply with the proposed regime is to ensure that you currently comply with existing DPA requirements. Rather than operate in fear of stringent penalties, compliance should be viewed as a force for good, which helps you run your organisation more effectively and win more business. Indeed, whatever shape they take, the forthcoming changes to data protection law will make it all the more important to do everything you can to protect your personal and customer data.”