By Brian Collett — Businesses are now being told they should build data protection into their core activities in a guide issued to ensure they satisfy new IT legislation.
They are reminded that following the rules will enhance their reputation and help them to avoid heavy fines for non-compliance.
Introducing its guide, Good Corporation, the London-based international business ethics and compliance consultancy, says: “Robust data protection management should essentially be regarded as ethical business conduct and considered as a key component of good corporate governance.”
The guide has been issued just as the government is revising data protection laws in line with the EU’s General Data Protection Legislation coming into effect next May.
GoodCorporation hints that its guide is perfectly timed. The consultancy reports that a survey by the Netskope company in California found more than half the IT and security professionals it interviewed had never heard of the EU regulation and three-quarters said their companies had not provided any information about it.
Another study claimed a quarter of all businesses had scrapped preparations for the regulation, believing it would no longer apply to Britain after it quits the EU.
The guide says businesses should first have comprehensive records of the data being collected, held and processed. This data map would show where the information is held and processed in a company and how it is exchanged between parts of the business and with third parties.
A data map, it says, would meet the legislation’s expected requirement to keep records of processing activities.
The way in which consent is obtained for holding personal data would be important too. The consultancy warns that box-ticking and opt-out methods might not be enough to prove that consent is validly obtained, freely given and informed.
The guide says organisations could go further to observe the regulation by offering consumers more control over their data so that they can deal with requests for erasing or transferring details. This would make an organisation more attractive to consumers.
GoodCorporation says the policy should be led from the top, by senior managers, including directors, who should discuss it at board level and sign it off.
Finally, it believes now is the time to start compliance. Companies should not wait until the UK Data Protection Bill begins its journey through Parliament.
Among the subjects of the IT records more than 80 per cent feel they do not have complete control over the data, says the government Department for Digital, Culture, Media and Sport.
GoodCorporation points out that if companies fail to give people the protection, thereby breaching the new data laws, they are likely to suffer reputational damage and consequent business damage.
On top there are the fines – up to £17m ($22m, €18.7m) or 4 per cent of worldwide turnover. The fines in total could run into billions.
In the UK last year the average cost of a data breach was £2.53m, revealed in a wide-ranging study by the American multinational technology group IBM and the Ponemon Institute, a Michigan-based independent research body.
GoodCorporation’s conclusion: “Protecting personal data goes beyond regulatory compliance. It should be seen as a component of good corporate governance, a function of an ethical business culture demonstrating an organisation’s commitment to doing the right thing.”