We recently released our quarterly UK technology barometer report on the trading environment, boardroom confidence, company valuations and M&A activity. The report surveyed 500 C-level executives from UK-based software, IT and telecoms firms.
One of the most interesting points concerned the growth of infrastructure and security. Large-scale data security incidents that have occurred over the past few years tell us that data security must be a top priority and it is hard to see why technology infrastructure should be exempt from this - in many cases, there is a strong argument for technology to take the lead.
Obligations to secure personal data are enshrined in the European Data Protection Directive of 1995, which has since been localised and implemented in each of the EU member states. This requires organisations to take measures to address risk. The fundamental principle requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Controls to keep data secure shall not only be of a technical nature but also of an organisational nature. It is clear, as is supported by many other related texts within data protection legislation, that a risk-based approach is required to ensure that controls at organisational and technical levels protect the data from the accordingly assessed and identified risks.
Many organisations will look at addressing this at an enterprise-wide level, rather than implementing ad hoc controls and policies aimed at either technical measures or organisational measures.
To some degree, organisational measures may be controlled by using technology-driven solutions that ensure people-based controls are genuinely embedded into the use of systems that house personal data.
The question is whether organisations can improve their technology infrastructure to ensure that people- and organisational-based controls are covered - for example, to ensure that email systems provide sufficient filter-based controls to avoid large-scale data seepage via email that leaves an organisation.
A more specific example may be the use of a filter that will stop an email before it goes out, and maybe even take further steps to remind the sender that there are internal policies that need to be adhered to regarding data stored within the attachments or in the email.
This acts as a check or even as a form of pre-authorisation before that email and the data within it leave the organisation.
Failure is not an option
This could mean that businesses gradually become more reliant on technical means of keeping data secure, including infrastructure software to manage the control of both the technical and organisational measures that have been taken to secure data.
This raises the question of whether an organisation’s current system and infrastructure can be tailored to meet such demands. Or does this mean new or bolt-on systems will be needed to achieve the right data security control environment?
It is certain that the sanctions are severe under the current data protection law - fines of up to £500,000 for a major breach in the UK. And under the proposed new package of laws, failure could attract fines of up to two per cent of an organisation’s global annual turnover. So failing to secure data can prove to be a costly mistake.
Vinod Bange is partner at law firm Taylor Wessing
CEO Graeme Watt admits the trading climate is becoming a little more uncertain as he and CFO Graham Charlton reflect on the reseller's £1bn year
Security vendor appoints Infinigate as part of strategy to grow channel business
As the trade war between the US and China ramps up, Marian McHugh investigates what impact this will have on UK prices and how partners are adapting to higher costs
CRN quizzes Avaya CEO Jim Chirico on the firm's progress after exiting Chapter 11 earlier this year, and listing on the stock exchange