From Paul Wood, assistant director of Montal IT Consulting.
A survey done by the UK Information Commissioners office in May 2013 among 506 staff who described themselves as having responsibility for Data Protection showed that not one of them could accurately describe the effect the new European legislation would have on the current Data Protection Act (1998) which as we all know currently implements an EU directive.
Plans to implement Data Protection within the European Union under a single General Data Protection Regulation (GDPR) continue and although there is significant contention and debate, the overall view seems to suggest that this could be introduced as early as 2015.
The word on the street suggests that any new legislation will increase the level of red tape associated with data protection rather than reduce it, and this will only have a detrimental effect on the cost of resources required to meet it. It could therefore have significant impact on business planning.
Current DPA legislation allows data processors to take a risk-based approach, but under the new proposals this would become more stringent and organisations would need to document and monitor compliance measures at all times. Data subject consent is also expected to be tighter with explicit consent required in all cases.
Organisations will need to have data protection officers, a common occurrence in housing associations, but proposals suggest a new requirement is likely to demand that any data protection breaches are reported to the ICO within 72 hours of being aware.
In addition, data subjects (i.e. tenants, in the case of housing providers) would have the ‘right to be forgotten’ and could order housing providers to delete any records held by it. This might have a significant impact on any housing providers thinking about CRM, document management and HMS procurements; it’s worth thinking about the implications now as the 2015 regulation is likely to make planning for data protection a mandatory part of the processing of services.
In addition, under the new proposals the regulation will introduce stricter penalty regimes with maximum fines for breaches increasing from the current £500,000 up to a million Euros or 2 per cent of turnover.
According to Symantec’s 2013 study, the average cost of a data breach for a UK organisation rose to over £2 million last year. While this figure is unlikely to have relevance among housing providers (other than reputational damage), it’s worth bearing in mind that over a third of all reported breaches were as a result of staff negligence, either through the loss of devices or failing to secure data.
Given that regulations are going to get tougher and that data breaches are increasing in a multi/omni-channel world, it’s worth considering how prepared you are for such an event and being honest about what you need to do and plan for it now. Here are a few pointers to consider:
- In an ever increasing mobile world, are all the data risks considered? Often you will be giving access to data on mobile devices to operatives who have not previously received it in this way. Can you secure lost devices in case they fall into the wrong hands? If you don’t have any mobile device management software on the device, is it worth considering it, and if you do, when was it last tested to ensure it actually does what it says?
- Can you control other devices such as iPads and are you sure that all data is stored in corporate systems and not held on the device or other repositories? In essence, can you secure mobility as stringently as if it was a PC in the office? For remote workers, are you sure that they access data from remote location sites via protected environments and don’t simply email data to their own personal email address and then back again?
- Are password policies enforced in line with corporate directives and can you show a clear record of this should an issue arise? Are you confident that the central password policy is applied consistently throughout the organisation without exception? Can you point to regular training on password strength and can you show that every member of staff you employ knows this? If you have up to date policies would a survey of staff knowledge or an internal audit inspection about where to find them be an embarrassment?
- Do you have you a layered approach to security based on risk? In other words, do you have a Plan B if Plan A goes wrong, and can you rely on another form of defence to ensure security? For example, if devices are lost through a car theft, is there encryption in place?
- Are you comfortable with your physical security? If someone did break in, would they be able to steal any of your data? It’s rare that break-ins occur but it only needs to be once to cause some problems.
- Are anti-virus and malware up to date with the latest versions? Can the organisation show that these have been implemented and are their change control records in place.
- Are your network defences secure and are you confident that firewalls will do the job? In a former life I remember being subjected to an audit of the data protection capabilities of my network. When the report arrived, my worst fears were confirmed as the auditor had subjected us to the same rigours applied to that of a bank. The auditor said that it was not enough to just protect the defences, you should accurately monitor the perimeters and ensure that you know whether anyone has attempted to intrude so that you can analyse and further strengthen your defences.
- Do you have regular independent assessments, including penetration testing? Penetration testing can appear expensive but if you consider the time and effort involved if someone does intrude into your system, it’s probably worth doing. And as websites become more transactional by offering card payment options, the risk of sensitive data breaches and their impact increases and exposes organisations to PCI (DSS).
- Finally, do you have any data lying around in any format that you don’t need? Would it be worth spending some time in either archiving it or simply destroying that which you legally can?
Perhaps as Marissa Mayer, a prominent American businesswoman once said, “With data collection, ‘the sooner, the better’ is always the best answer.” It might be worthwhile to consider adopting this approach.