Just a few of the UK’s, Europe’s and even US’ laws that have been passed that impact how you have to deal with data. Sure, not all of these may apply to you – but the majority will, and while looking through the mountain of various documents that constitute these laws, it becomes apparent that many of the needs of each law are not exactly compatible with the needs of others.
And we also have to take in to account the fact that it is not just laws like these that impact how we deal with data. How about regulatory filings to HMRC or Companies House? How about the need for us to share information with our suppliers and customers in a manner that meets our own security concerns? How about industry standards such as ISO17799 and ISO9000, or more specialised standards such as ISO2000 based on ITIL? How about the use of electronic data interchange (EDI), and the various standards hidden under here, such as AS/2 or EDIFACT?
Managing data is a perennial problem, but is becoming more critical as data volumes grow, and users become more proficient at blending their work and leisure environments. With data growths being quoted as doubling anywhere from weeks to months and still accelerating, how we deal with data against the backdrop of such legal and market regulation means that we have to take a long, hard look at what we are doing.
Lip service to the law is not recommended.
Although the full force of the law is not generally applied, the possible financial implications can be hard. Take, for example, the UK’s Data Protection Act (DPA). Although the actual fine for non-compliance is capped at £5,000, the impact of other sanctions the Information Commissioner’s Office (ICO) can take can far outweigh this. For example, once a company has broken the DPA, it can be forced to create a plan that details the steps it will take to ensure such a breach does not happen again. If a company breaks the DPA twice, the ICO can assign a government auditor who will investigate and create a legally binding plan the organisation has to put in place within agreed timescales. But far worse than that can be the impact on brand when the news that customer records have gone astray hits the news. Also, although the DPA can seem pretty toothless as a financial hit in itself, other professional bodies can take things further.
This was shown in a big way when the Nationwide Building Society in the UK had a laptop containing user details stolen from an employee’s home. This was a possible breach of the DPA, but the Financial Services Authority took over and fined Nationwide nearly £1m for perceived lapses in data security.
However, copyright can be far worse. Although the majority of organisations will realise that illegally downloaded music and video files will breach copyright, few are aware of how much file downloading takes place within the business – generally to a local disk before being stored on the user’s device. Unfortunately, ignorance is not bliss, and the organisation stands just as much chance of being prosecuted for such copyright breach as the individual does. With courts around the world taking copyright breaches very seriously, it is a necessity to understand the possible issues and potential solutions to meet such problems.
But the big problem for an organisation looking at how best to deal with data compliance issues is the choice of solutions. Sure, you can go to a systems integrator and they will probably be able to offer a project to address your DPA needs.
Then, they’ll also be able to give you an ISO9000 solution and perhaps strap on an ISO17799 package. But, unless each of these separate projects has then been fully integrated, you find that each one breaks the needs of the others.
For example, let’s look at an accredited ISO group needing to do an audit. In they come, and you lead them through the solution that has been put in place for that ISO standard.
Unfortunately, you will probably be showing an outside group customer data that the customer has not agreed can be shared in this way. Therefore, you are in breach of the DPA. Likewise, the police come in wanting to look at a specific problem – let’s say money laundering. They will have to have a specific warrant that states exactly what it is they are looking for. If you provide beyond that level of information, you’re probably in breach of one of the other laws.
Even worse – imagine that some group, say the Serious Organised Crime Agency (SOCA), comes in needing to investigate a range of issues where they believe there is a threat to national security. It may well be that this isn’t just down to a single definable area within the business – so your DPA, Freedom of Information (FoI), ISO17799, ISO9000 and so on solutions are suddenly completely useless. The Boys in Blue want information, want it fast, and want it across the whole of your organisation. If you are in a high value trade with high value customers, suddenly finding that you have no option but to make customer names, addresses and financial details available to the authorities, even though their warrant doesn’t specifically cover it, is not likely to go down well at all.
But, there are ways around all of this, based on structured data storage and a concept called a Compliance Oriented Architecture (COA). The second article in this mini-series will look at what the issues are within current data architectures, and at some of the approaches that will help to establish the foundation for creating a COA. The final article will cover the COA itself – what is really involved, and how to go about putting one in place.
