When the UK's Data Protection Act (DPA) was instigated in 1998 almost all data was generated, consumed and stored on company owned and managed equipment.
This was usually desktop PCs that had a typical lifecycle of five to seven years and used an ‘industry standard' operating system. The situation is very different in the contemporary business landscape; while data is still largely produced on PCs, it is increasingly accessed on user-owned, and often hand-held, devices such as laptops, tablets and smartphones.
This brings a range of complications to businesses, notably the increased risk of data loss through theft or misadventure, the requirement to secure a bewildering array of mobile phone operating systems, including multiple versions of those operating systems and a higher disposal/recycle frequency.
It is encouraging to see that the Information Commissioner's Office (ICO) has recently issued updated guidance notes that re-interpret the 1998 Data Protection Act to reflect how mobile technologies are changing the workplace.
One key issue addressed in the document is ‘bring your own device' (BYOD). This states the data controller (i.e. the business) must have security in place for BYOD to prevent personal data from being accidentally or deliberately compromised. This means that although corporate IT has less control over the configuration and specification of devices used by their information workers, any data breach reported to the ICO and found to originate from a device owned by an employee/contractor is still the legal responsibility of the data processor.
It is also worth noting that the Data Protection Act (DPA) is applicable to any company operating in the UK, regardless of whether it is registered in this country or overseas.
While the ICO has successfully addressed a number of core issues to bring the DPA in line with the times, it does not cover the full lifespan of users' mobile devices. Even if a business has a functioning BYOD policy to safeguard sensitive corporate and personally identifiable data while a device is in use, these efforts can be futile if that data is not systematically wiped when the handset is sent for disposal or recycling.
This issue is exacerbated by the shorter upgrade cycle for consumer mobile phone contracts, which are typically 12 to 24 months.
At the end of last year, the ICO went some way to tackle the issue of how to deal with obsolete or surplus devices by issuing its IT Asset Disposal Guidance Notes. While this acknowledged the importance of deleting personal data, it did not specifically address one key problem facing businesses: standard data wiping techniques simply will not work for devices using solid-state drives (SSDs).
This is becoming significant given that SSDs are used in two devices that are becoming ubiquitous in the corporate world: smartphones and tablets.
Data security legislation is in its infancy and cyber crime is endemic in these markets, so any inadequately wiped mobile device ending up in the wrong hands has the potential to wreak havoc. This means data processors must use data wiping solutions that are auditable and offer a certificate of data sanitisation in order to ensure BYOD schemes will benefit, not harm, their business – even after a device has been decommissioned.
Ken Garner is business development manager at BlackBelt