There are eight things you need to know about data if you want to stay out of jail. Not too much to remember.
But only one in ten firms know what seven of those principles are and not quite half can recall unprompted that they are obliged to keep personal data secure. The latest research by the Information Commissioner’s Office (ICO) shows that private sector knowledge about handling data is lacking.
And with a sample size of 401, this finding does not look like an anomaly. Just 14% of respondents were aware of all eight obligations, while 41% knew of only one. Data security is top of mind, but everything else has slipped off the corporate radar.
Meanwhile, legal obligations around data have got stricter. Since April this year, the maximum fine which the ICO can levy for a data breach actually rose to £500,000. And the ultimate sanction is to send a company director to prison.
Little wonder that the regulator’s reaction to the findings was stern. “Businesses need to show they are taking data protection seriously. Failing to do so could not only lead to enforcement action, it could also do significant damage to their reputation,” said Information Commissioner Christopher Graham.
He added: “There is a link between satisfied customers and good handling of personal information. Our research shows that almost all of the individuals surveyed are concerned about the collection and secure storage of their personal information.”
So what can be done to drive up awareness and get boards to take the issue seriously? Marketing has a key role to play, both as a major owner of personal information and as a skills set to communicate the issue.
O2 offers an example of best practice through the creation of its Information Council. Made up of board representatives from across the company, it has responsibility for information strategy, including the Customer Intelligence Centre (CIC) which O2 runs as a centre of excellence for data protection, management and exploitation.
The goal is to make the whole organisation “self-aware”, James Morgan, head of the CIC, told the Data Summit in June.
A key issue when creating the CIC was where it should sit in the business. “That was a difficult discussion – should it be IT, finance, marketing?
It helped that the business is marketing-led, the processes and workflows are marketing-driven, so that was the right place for it,” says Morgan.
That is not always the outcome in other organisations. Many view data protection as an IT issue, since the data sits in the systems they control, while others have given responsibility to finance, because of the costs and risks associated.
With top-down buy-in and support from the UK board through the Information Council, O2 will undoubtedly be among the minority of companies which is fully aware of its obligations. Elsewhere, it sometimes requires an incident to get the attention of directors.
Barclays found itself on the wrong end of a City watchdog probe that found personal data in waste paper being left outside bank branches almost four years ago. Chief Executive John Varley signed an undertaking to the Information Commissioner that the bank would improve its processes, and at the same time drove forward a privacy change management programme.
This led to the creation of Think Privacy, a scheme offering a suite of best-practice guidelines and awareness materials.
Sarah Phenix, who manages the programme at Barclays, says: “One of the workstreams we pulled out as important was training and awareness. We said, to do this right, we need to get our people to understand their obligations and where they can go for help. It is about ensuring they understand that this is everybody’s business.”
With the endorsement of the ICO, Think Privacy has grown into a consortium involving banks, including HSBC, along with other organisations such as Deloitte. Now the consortium is also looking to raise awareness further abroad.
“One of the things we have done in collaboration with the ICO is to create a set of awareness-building materials for businesses,” says Phenix. Downloadable via the regulator’s website, resources for awareness campaigns are readily available. Now all that is needed is the will to use them.
The eight legal obligations of personal data
1. Keep it secure
2. Process for limited purposes
3. Keep no longer than necessary
4. Process fairly and lawfully
5. Keep it accurate and up to date
6. Ensure it is adequate, relevant and not excessive
7. Process in line with individual rights
8. Don’t transfer to other countries without adequate protection