Data protection in the UK and Europe may mean something a little different to the way most Americans would understand it. The UK's Data Protection Act is, like other local legislation in EC countries enacting the EU directive Data Protection Directive 95/46/EC, concerned less with the security mechanisms you use (or don't use) to protect your data than with how you handle other people's data.

By handle, I don't just mean protection in terms of securing it, but whether you meet requirements for processing and using it set down in the eight principles that are the backbone of the act. So it was interesting and a little disquieting to read an item that claims that SMEs(Small and Medium Enterprises) routinely breach the Data Protection Act. That assertion is based on the results of a survey of more than 500 businesses carried out ob behalf of the BSI (British Standards Institution) which found that:

  • Nearly half thought they'd breached the act more than once
  • 18% weren't sure whether they had
  • 15% weren't "confident" that their data sharing was compliant with the DPA, and about 1/3 of them shared it anyway.

BSI have just launched a new British Standard (BS 10012 - "Data Protection. Specification for a personal information management system"). So it's not surprising that the survey reflected concerns that the new standard is presumably meant to address. (At £100 a shot I'm not in a hurry to buy my own copy to see how well it does that!) Still, the results do seem to back up a claim by Gordon Wanless, Chairman of the Data Protection Forum, that organizations are finding the DPA too complex to comply with effectively.

From the other end of the telescope, there have been instances where a misunderstanding of the DPA has led to problems and even tragedies because an organization invoked the Act inappropriately, through misunderstanding (or self-protection, on occasion).

I don't think complexity is the only issue, though. Further findings were that:

  • 65% provided no Data Protection training to staff
  • Nearly half had no Data Protection Officer or similar responsible for data protectionThese are serious shortcomings if found in organizations that process significant amounts of personal data, and there aren't many organizations in the private or public sectors that can make that claim. How many organizations have no clients (customers, patients, passengers, whatever) that ever give them sensitive data, and that's without considering internal issues such as payroll and other employee records? If you take the legislation seriously, you don't throw up your hands and say "it's too complex for me to understand": you buy in expertise or you send people on courses so that they can come back and pass the information on.Perhaps the real answer lies with the 18% who thought that "data protection is less of a priority in the current economic climate." The high proportion of respondents who seem to underinvest in data protection measures may not all use that particular (rather unconvincing) rationalization, but I'm sure they're influenced by the expense of full-strength compliance.

    That's understandable (though not defensible) in the current climate. But as even the BBC seem to have recognized, belatedly, with regard to the Computer Misuse Act, compliance with the law is not optional, whether or not you agree with specific legislation.

    If people can persuade themselves that it is optional, I'm not sure that a new standard intended to reduce the legal complexities is going to help as much as BSI think it will.

    David Harley
    Director of Malware Intelligence