Take Data Protection Seriously, Please

I did a presentation earlier this week at NITES, in Ireland.  My topic was data protection and governance. I took the opportunity to make a number of linked points:

  1. We already have data protection legislation in the EU and US;
  2. These regulations don’t have any real teeth;
  3. Most company boards – particularly  in the financial sector – and public sector managements simply don’t care about data security – there are no rewards for doing a good job and no meaningful penalties for failure;
  4. The Health and Safety Executive in the UK has a budget and staffing levels about 20 times higher than does the Information Commissioner, as well as powers to inspect and fine, so it’s hardly surprising that health and safety regulation shows progress and data protection doesn’t (remember, too, that our ICO’s tiny budget, the majority of which is provided by company registration fees, has to cover DPA compliance as well as FOI and Environmental Regulation compliance!) 
  5. We care more about people using mobile phones while driving than we do about companies losing thousands/millions of sensitive personal records – we jail people for sending text messages while driving but do nothing about company directors whose reckless disregard of data protection regulations endangers the financial future of vast numbers of ordinary consumers;
  6. It’s time for data security to be given proper emphasis – by which I mean custodial sentences for CEOs and senior civil servants whose organisations recklessly disregard the DPA – with ‘reckless disregard’ having characteristics like unencrypted laptops or USB sticks and failure to conform to BS10012 (when it is finalised and launched),
  7. We also need a pan-European data breach directive, that requires companies who fail to protect personal data to meet in full the costs of restitution for those affected as well as paying substantial financial penalties (and, possibly, jail time for directors – see my earlier point).
  8. It’s time for us, the consumers whose personal data is so regularly abused, to start demanding – through all the channels open to us – that our elected representatives start taking this subject seriously and enact legislation that will actually have teeth, and commit the level of financial support that will enable those teeth to bite.

You are welcome to download a copy of my NITES presentation: nites-feb-09.

About The Author

Alan Calder

Alan Calder is an acknowledged international cyber security expert and a leading author on information security and IT governance issues. He is also the CEO of GRC International Group PLC