High-speed internet, Smartphones, WI-Fi, IP-connected devices such as printers along with networks and flash storage has changed the business landscape significantly in the last 10 years. This evolution continues to alter the way we work and do business but in doing so we collect, process, store and access vast amounts of data, whether in the office or via a third party provider.
Data privacy, particularly that of sensitive and private information collected while we go about our business has been under the spot-light in recent years. Major corporate hacking stories have seen customer records breached and sometimes traded on illegal markets. Whistle-blowers like Edward Snowdon have also shown how global government privacy and trust has been compromised as well as mass scale data collection of citizens simply using their phones. Finally, we have recently seen the "Google" - Right to be forgotten law passed which allows individuals the right to have certain historical information erased from internet search engine results.
The European Parliament is about to pass a new Directive on Data Privacy this summer with the aim of harmonising the various member EU laws to account for some of the changes noted above which will change the UK Data Protection Act in some quite significant ways and as business owners and executives we need to be aware of these changes.
First and foremost, in the area of penalties this revised law will have significant teeth, up to 5% of annual turnover compared with the £500k cap in place today. This change in focus is designed to force organisations to take sufficient and reasonable steps to secure the information it uses while undergoing business. The law will also make clear that there is to be a shared liability between customers and suppliers, this move is to account for the high degree of third party suppliers such as Cloud providers. One further area under debate currently is known as Mandatory Notification which in draft form places a 24 hour obligation on our organisations to notify the Information Commissioners Office if an organisation suspects they may have been breached or caught up in a breach of a supplier. This element of the law if passed will pre-suppose that continuous self-monitoring is implemented in order to adhere to this measure.
This sounds quite a burden but if viewed and tackled in a systematic way rather than as a one-off project, the culture necessary to protect sensitive information can be built. The most important first step to take is to implement a robust and measurable Information Security Policy that covers your whole organisation and not just the IT elements. Second, is to focus on employee and visitor behaviours, around 70% of lost information cases revolve around people. Finally, consider selling with your security controls in the form of a standard for example, Cyber Essentials or ISO27001 in Information Security.
Article by Dave Lloyd of Signacure.
Contact 0845 0453945 or This email address is being protected from spambots. You need JavaScript enabled to view it..
This article is brought to you by NBSL's North East Business Support Fund which funds the costs of business improvement projects such as website development, marketing strategies, external consultancy – click here to find out more
The North East Business Support Fund has hundreds of registered providers offering a wide range of business support. NBSL has used its best efforts to post on this web site the most accurate and reliable information given to us by our providers but does not guarantee the accuracy or completeness of any information. The thoughts and opinions expressed in these articles are those of the authors and are licensed to NBSL for publication on this website.
