recent work

Article

The 5750 Gold Rush Revisited?

Those old enough to remember the late1980’s will recall the phenomena of British Standard BS5750. Everyone wanted it. Large companies would not buy from firms who were not 5750 accredited and a whole industry was created of consulting firms helping companies to achieve BS5750.

Will history repeat itself when the European Data Protection Regulation comes into force later next year? Will firms refuse to trade with other companies unless they can demonstrate a high level of control over their data processing activities?

Why would they?
The main driver for 5750 adoption was risk mitigation. It felt safer to trade with companies that were 5750 accredited rather than those that weren’t, the implication being that BS5750 introduced business disciplines, structure and order, and an audit trail through key business process. There was no legal requirement and no tangible economic benefit – just risk management. Compare that to PCIDSS. Over the last couple of years the Payment Card Industry Data Security Standard (PCIDSS) has become big business. A global standard developed by the key players in the payment card industry, PCIDSS is designed to implement security controls over payment card information in vendors, payment card processors, banks and the like. Introduced to shore up consumer confidence in the safe use of payment cards – the key driver for businesses to become PCIDSS accredited is an economic one: banks charge higher fees to non compliant businesses.

So how does all this relate to personal data? When the Data Protection Regulation becomes European law next year it will be a game changer. The level of fines will rise from £500k to a level up to 2% of global turnover and coupled with the legal obligation to report information security breaches within 72 hours and the new power of the Regulator to make on-spec on-site inspections; getting data processing activities wrong will be a risky business. This will inevitably roll down the supply chain. Companies won’t for instance buy cloud computing services (such as on-line back-up or software as a service). They won’t employ telesales companies. They won’t undertake email marketing unless they have confidence that their suppliers are bullet proof in terms of information security. . And how do you know whether they are bullet proof? Demonstrating an accredited standard will be one significant step in undertaking due diligence.

Which standard?
The British Standards Institute introduced BS10012 in 2010 which is a standard for the handling of personal data as defined by the Data Protection Act(1998). Take up has been very slow because as yet, there is no imperative for adoption. The Information Commission recently opened consultation with industry about the development of an information governance standard. They are bound to look at BS10012 and standards such as ISO27001, ISO9000, and PCIDSS and they may well develop a revision to one of these or a new standard.

The clock’s ticking.
There’s a window of two years or so to start to make progress in this area. Audit what you have and where you are. Document where you think you will need to be. Look up and down your supply chain: what risks to your suppliers pose to you and what actions are your customers likely to impose on you? And start work right now on building an information governance system and embedding it in your organisation’s culture. Those who adopt early will not only gain a competitive advantage, but they will spend less in the long term compared to those who wait and have to rush through a system in order to meet either their legal obligations and/or the pressure of their supply chain.

How Safe is your data?

It’s very easy and inexpensive these days to move data about whether to share it, store it or process it in other ways. The emergence of data sharing platforms such as Dropbox, virtual back-up systems such as Crash Plan, or more generally cloud based databases such as Salesforce or Zoho has enabled quick, convenient and cheap mass data mobility: and just about all of these services have an entry level product which is free of charge. They also have mobile versions enabling you to access your data while on the move.

But how safe is your data in these services? Where is your data physically located? What happens to it when you want to stop using the service? Who has access to it? What measures are in place to ensure that it is protected? And what could happen if you lost your mobile: a potential vulnerability?

Dropbox is often used as a cheap (i.e. free) method of moving data about for commercial projects where data has to be shared. Take for example a telesales campaign, Project X. Company A places its list of say 10,000 telesales prospects into a shared Dropbox folder for Supplier B to pick up and use to telesales Company A’s prospects. At the end of the project, what does Supplier B do with Company A’s data? What happens to the lists placed in the Dropbox folder?

It is a legal requirement under the Data Protection Act (1998) to only share data under the terms of a data sharing agreement: a contract between Company A and Supplier B setting out the obligations of both parties in ensuring the privacy of the individuals contained in Company A’s list. Such an agreement should set out in a job specification exactly what Supplier B is allowed to do with the data and the things that it must and must not do.

It’s good practice, prior to deciding to go ahead with a project such as this to undertake a privacy impact assessment (PIA): a structured review of the project from a privacy and data perspective which helps both Company A and Supplier B to consider the project in relation to privacy legislation.

Another important step and useful tool for informing the decision prior in going into any data sharing agreement is a privacy checklist: Company A sends to Supplier B a simple information security questionnaire. Company A reviews Supplier B’s responses and makes a decision whether to approve Supplier B or to undertake any further due diligence (e.g. a site inspection or virtual site inspection). It’s important to remember that the infosec questionnaire is not a test of Supplier B’s data protection compliance, it is a risk assessment for Company A and even if Supplier B’s response doesn’t shape up well, Company A is still at liberty to approve Supplier B but, and here is the key, Company A goes into a data sharing project with Supplier B with its eyes open having undertaken due diligence. It is entitled to accept a level of risk. But where does the relationship with Dropbox fit into the mix? What both Company A and Supplier B should be doing is finding a secure and reliable method for moving data about. They should be reviewing and understanding the terms and conditions of file sharing sites and making a decision whether they are suitable for a) the project in hand, and b) the type of data within the project. It may be that file sharing sites are perfectly acceptable for the project and the risk appetite of Company A provided that a high level of encryption is used to project data within the shared files.

Now it may be that Company A is a small business on the hamster wheel of commerce with insufficient resources to concentrate on the points above. The simple solution is to employ a data protection consulting firm to undertake the due diligence on its behalf. Or it may be that Supplier B has already gone the extra mile and prepared relevant paper work for all of its clients which it is able to provide to Customer A as part of its project initiation. This latter approach can give competitive advantage to Supplier B over Supplier C who has no such documented controls in place and instills a level of confidence and trust in Supplier B’s customers.

The point to take away from this is that the law is changing next year, 2014, and it will become more difficult if not impossible to operate Project X without going through the process outlined above.