UK data protection in the spotlight

Share

 

So, 28 January 2010 was Data Privacy Day, an event which largely passed without fanfare. But several interesting pieces of information were published to coincide with the event, which indicated that there is still plenty to be done in the enterprise to ensure that increasingly high expectations for data security are met.

Figures from the UK's Information Commissioner's Office reveal that more than 800 security breaches were reported over a two year period, with almost one quarter of these being attributable to "mistakes", and almost a third being the result of thefts. A breakdown of the figures is available here.

According to an enterprise survey, while 80% of organisations are aware of the basics of managing physical records, only 23% have established policies that cover electronic records. This is complicated by "several macro trends" which have made the management of electronic data more complex -- including a sharp growth in electronic information, growing customer concern about how data is protected; the expanding regulatory environment related to data security; and heightened litigation demands.

A separate survey put the cost of data loss at £64 per customer record, of which £29 was attributed to reduced customer trust. While the figures for public sector organisations are slightly lower, it was noted that the costs associated with detecting and escalating a breach, and with alerting citizens and dealing with subsequent enquiries are higher, and the principle contributors to the total costs. Private sector businesses are better at detecting problems, but in contrast have to deal with issues related to increased churn and attracting new customers as a result of breaches.

For companies operating in the UK, the cost of a data breach is about to get much bigger. The country's Information Commissioner will soon be able to impose a penalty of £500,000 on data controllers who "seriously contravene data protection principles". Decisions will be based on a "pragmatic and proportionate approach", based on factors including an organisation's financial resources, sector, size and the severity of the data breach. The highest level of fines will be reserved for cases where "there has been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it".

We have also already reported that the European Commission is mulling updates to its data security regime.

Stewart Baines

I've been writing about technology for nearly 20 years, including editing industry magazines Connect and Communications International. In 2002 I co-founded Futurity Media with Anthony Plewes. My focus in Futurity Media is in emerging technologies, social media and future gazing. As a graduate of philosophy & science, I have studied futurology & foresight to the post-grad level.