Why organisations need a flexible, not 'one size fits all', approach to data protection regulation
There can be serious consequences for failing to abide by the Data Protection Act, but one approach won't work for everyone
The recent data breach at the University of Greenwich has demonstrated, yet again, that there can be serious consequences for any organisation failing to abide by the Data Protection Act.
As if the negative publicity was not enough, there is the potential of enforcement action from the ICO, claims from individuals and heavy financial penalties when a data breach is uncovered.
For those unaware, The Data Protection Act was first introduced in 1998 and is an Act of Parliament in the UK which defines law in terms of the processing of data on living, identifiable individuals: it protects our personal data.
The Act consists of eight principles regarding data protections and requires individuals and companies to keep personal information, well, personal. According to the Act, ‘personal data’ refers to any data that can be used to identify an individual.
The Data Protection Act states that appropriate measures will be taken against unauthorised or unlawful processing of personal data as well as against accidental destruction or loss of, or damage to, personal data.
In the case of the University of Greenwich breach, personal information including names, addresses, dates of birth, mobile phone numbers, signatures and some students' mental health information were leaked.
This type of information is, of course, highly sensitive and organisations big or small should be taking the necessary steps to protect their customers’ data.
Unfortunately, The Data Protection Act adopts a ‘one size fits all’ approach when it comes to the regulation of data protection. This generalised approach to enforcing data protection laws, as well as the justification of penalties, is questionable when there is a significant difference in security and compliance expertise (and resources) available to larger corporations compared to small organisations.
A ‘one size fits all’ approach to regulation doesn’t deliver a level playing field, and alternative methods may deliver better data protection across organisations of all sizes. In order to construct a more flexible approach to data protection, the following three key aspects need to be considered at all times: people, technology and operations.
Statistically, people are the weakest link in the security chain in any organisation. Every company, whatever the size, should ensure that comprehensive background checks are made against staff members to instill trust and confidence across the team.
Using thorough security training ensures that staff maintain privacy and best practice concerning customers’ data, from initial set up through to their daily operations.
Even with the best business model, a security flaw can threaten a solution’s Confidentiality, Integrity and Availability (CIA). By ensuring that security services are designed to go beyond industry standards, businesses can maintain the CIA of their data management solution.
If a company places its data protection in the hands of a specialist Managed Services Provider (MSP), it needs to look for solutions that offer a network integrity layer, a content filtering layer and of course, a data protection layer. Layering helps to make the path for potential data hackers as challenging as possible.
Operational security is best described as a culture. Data protection can be made more effective if companies believe in this culture and adopt it across all levels of the organisation.
Operations are the actions associated with policies and procedures. Companies need to look for a fully redundant data centre and network infrastructure to give them peace of mind, even under extreme circumstances.
Strong access control measures, for example in terms of encryption and authentication, are paramount to counteracting security breaches. Email encryption of sensitive data and PIN number verification for account access are a key example of these measures.
A level playing field
Under the current rules, the University of Greenwich could have been fined up to £7.8m – but do penalties like this work? Small companies simply cannot afford to pay this sort of money without threatening their very existence.
On the other hand, companies that are large enough can afford to pay these types of fines and get their business up and running again fairly smoothly. That doesn’t seem right. Instead of a ‘one size fits all’ approach, data protection laws need to be carefully reconsidered to reflect the diversity in size and resources of organisations.
One way that better practices could be implemented in terms of data protection, would be a government scheme to help small to medium companies learn to protect themselves against a potential data breach.
The scheme would involve providing businesses with the knowledge and tools they need to secure themselves in order to be more compliant, thus resulting in a fairer chance of complete data protection.
Sourced from Jake Madders, Director, Hyve Managed Hosting