Measure for measure on data

Vinod Bange looks at the current and upcoming data protection laws and examines the challenges for the channel in helping protect businesses

We recently released our quarterly UK technology barometer report on the trading environment, boardroom confidence, company valuations and M&A activity. The report surveyed 500 C-level executives from UK-based software, IT and telecoms firms.

One of the most interesting points concerned the growth of infrastructure and security. Large-scale data security incidents that have occurred over the past few years tell us that data security must be a top priority and it is hard to see why technology infrastructure should be exempt from this - in many cases, there is a strong argument for technology to take the lead.

Obligations to secure personal data are enshrined in the European Data Protection Directive of 1995, which has since been localised and implemented in each of the EU member states. This requires organisations to take measures to address risk. The fundamental principle requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

Controls to keep data secure shall not only be of a technical nature but also of an organisational nature. It is clear, as is supported by many other related texts within data protection legislation, that a risk-based approach is required to ensure that controls at organisational and technical levels protect the data from the accordingly assessed and identified risks.

Many organisations will look at addressing this at an enterprise-wide level, rather than implementing ad hoc controls and policies aimed at either technical measures or organisational measures.

To some degree, organisational measures may be controlled by using technology-driven solutions that ensure people-based controls are genuinely embedded into the use of systems that house personal data.

The question is whether organisations can improve their technology infrastructure to ensure that people- and organisational-based controls are covered - for example, to ensure that email systems provide sufficient filter-based controls to avoid large-scale data seepage via email that leaves an organisation.

A more specific example may be the use of a filter that will stop an email before it goes out, and maybe even take further steps to remind the sender that there are internal policies that need to be adhered to regarding data stored within the attachments or in the email.

This acts as a check or even as a form of pre-authorisation before that email and the data within it leave the organisation.

Failure is not an option

This could mean that businesses gradually become more reliant on technical means of keeping data secure, including infrastructure software to manage the control of both the technical and organisational measures that have been taken to secure data.

This raises the question of whether an organisation’s current system and infrastructure can be tailored to meet such demands. Or does this mean new or bolt-on systems will be needed to achieve the right data security control environment?

It is certain that the sanctions are severe under the current data protection law - fines of up to £500,000 for a major breach in the UK. And under the proposed new package of laws, failure could attract fines of up to two per cent of an organisation’s global annual turnover. So failing to secure data can prove to be a costly mistake.

Vinod Bange is partner at law firm Taylor Wessing