Today marks the 32nd European Privacy and Data Protection Day, with an effort to ‘recognise the importance of privacy for our human values and fundamental freedoms'.
According to the website, today is "a platform that gives visibility to events, organised by governmental and other institutions and civil society that draw the attention to the value privacy and data protection we have in our societies or engage the citizen in privacy relevant activities".
According to statistics from Iron Mountain, more than half of UK businesses think that data loss is inevitable and 66 per cent of the 1,250 European business decision makers said that the threat of fines was having little impact on their company's data protection policies to protect sensitive information.
Christian Toon, head of information risk at Iron Mountain Europe, said: “The fact that more than half of European organisations see data loss as an inevitability is worrying and it illustrates that businesses of all sizes are failing to take appropriate steps to protect information.”
Alan Woodward, from the department of computing at the University of Surrey, said that he felt that privacy and security were two sides of the same coin, and the point at which security and privacy most definitely collide is not just what the data holder does with your data (they might not sell you on), but whether they are protecting your data so that others who you have not authorised to access such data cannot access it, intentionally or unintentionally.
He said: “Most smaller companies these days hold some form of ‘sensitive' data but they tend not to understand that point. For example, a database (usually a customer relationship management (CRM) system) with customer data might not necessarily be thought of as ‘sensitive'.
“Ask a small business if they encrypt such data or make any extra efforts over the standard CRM system, and you'll find few do. Businesses tend to rely upon the security of the software being provided. However, often those developing the software come from jurisdictions that have a very different approach to personal data, and their software does not necessarily even pay lip service to the Data Protection Act.
“The whole situation is being complicated by the emergence of cloud and software-as-a-service. Businesses see that managed services offer significant cost savings, but very few stop to look at the small print. Fewer still stop to ask where the data will be physically stored. When I have talked to people in this position they assume, for example, that if data is sent offshore to the US then there is some equivalent law there. Hardly anyone understands that companies in the US must sign up to be ‘safe harbours'.”
The role of enforcing the Data Protection Act in the UK falls on the shoulders of the Information Commissioner's Office (ICO) to educate and ensure that the laws are being followed. Aside from the proposed changes to the data protection directive, that the government creates the act from, the ICO is also responsible for rolling out awareness campaigns, and has issued almost £2 million in monetary penalties to those who fail to protect data.
Asked if he felt that the ICO was doing a good job in broadcasting the regulations of the Data Protection Act, Woodward said that while there is a great deal of support material available, he was not sure how many smaller or medium-sized business really know what the ICO does or that there is practical help available.
“I think there is a degree of increasing awareness but it tends only to be when large fines are issues that the ICO comes to the fore. Ideally, we'd have awareness being raised before it gets to the point of fines being issued,” he said.
“With scandals having happened in everything from health data to financial records when it is entrusted to those in jurisdiction outside the EU it is something that the ICO could be doing a great deal more to help raise awareness of. I get the impression that the ICO is focussed very much on the UK/EU. What is happening with globalisation of services, and the increasing role of outsourcing/offshoring of the back office, means that people need truly global advice.”
John Thielens, chief security officer at Axway, said that failing to ensure utmost data security within a business is as risky as walking a tightrope with no harness, especially as so many businesses have an increasingly mobile workforce.
“Many businesses are now operating in an open network that can be more vulnerable to threats if the right precautions are not taken,” he said.
“Businesses must ensure they know exactly where their corporate data and the data their customers have entrusted to them is, who is accessing it, how, and for what purpose. Consumers have obligations to behave safely online, but businesses are ultimately the custodians of their private data, and have more complex duties to safeguard it.
“There's no doubt that the likes of cloud technology and BYOD are creating a world of opportunity for businesses, but it's crucial that businesses understand they come with a new set of rules. Arming employees with the right balance of knowledge and sound security tools is key to ensuring business security remains airtight.”
Data protection is a challenge, there is no doubt about that, and that is why it falls under the umbrella of business compliance. However warning businesses that they need to protect data is like telling them that they need to breathe. Therefore does a day like this exist to raise awareness, slap wrists or gauge the public interest? In my view it is all three.
Asked if a day like this will have any impact, Woodward said: “I suppose it can't hurt, but there does seem to be a lot of awareness ‘days' and I think their volume leads to a degree of apathy. It's rather like people getting compassion fatigue with so many charity appeals. Security and privacy are assumed to be someone else's issue, so it's good if campaigns can raise awareness of personal responsibility.”
SC Magazine will present two events on data protection in the coming months. The Data Protection Summit will be held on the 21st March 2013 at the ILEC Conference Centre in London, while a webcast will take place on ‘Data Protection in 2013 - Regulation Versus Reality?' on Thursday 9th May.