Unless you cancelled all your media subscriptions last year in despair at the terrifying news about the economy, you might have noticed another set of of negative headlines, this time about data losses and security breaches. From the Government and Armed Forces to blue-chip brands and high street retailers, it seemed that nobody could keep a tight grip on personal information.
Addressing the problem is not easy, however. If you are a large-scale organisation, you are probably up to your ears in encryption and ISO27001 processes. From the mid-market downwards, there has been something of a gap. This is what the new DMA Information Security Management Standard, also known as the Data Seal, has been developed to address.
“It all started in early 2008 when the news was hitting about HMRC and other major data losses,” says Mike Lordan, director of consumer services, compliance and accreditation at the Direct Marketing Association (UK). “The Government was forced to admit publicly what was going wrong. Were the same things happening in industry?”
While it was obvious to anybody involved in data that the private sector was just as culpable, it was not under the same moral duty to admit to its failings. At the same time, achieving ISO27001 compliance is often beyond the ability (and purse) of many companies. Yet there were signs that, as part of its housekeeping, the Government would soon start to demand evidence that they were taking the issue seriously.
Lordan undertook a market review of the options for companies keen to demonstrate their commitment to data security. “I went to the Information Commissioner’s Office and looked at their advice, then worked with a number of our members to develop some Best Practice,” he says.
This was published in March and was deliberately written to be generic advice for the broad nature of the DMA’s membership. From there, Lordan started working with BSI Management Systems, the accreditation and standards organisation which had built the PAS2020 environmental standard with the DMA.
Lordan points out that Data Seal is different: “This is a private, DMA standard which the BSI will audit.” This has two important consequences. The first is that it is less wide-reaching than typical BSI standards. The second is that it is specifically-written for the direct marketing industry.
Central to the standard is the goal of establishing an industry-wide approach to information security and to reflect the tight integration between clients and suppliers when managing personal information. The mechanisms and rules it outlines for protecting data are intended to protect the reputation fo the DM industry as well as offering guidance on how to deal with external complaints and queries.
“It is going live in May. We are looking to select four or five member companies to pilot it,” says Lordan. While the standard has been carefully developed, he admits that, “we don’t know which issues may emerge. But the standard will enable users of DM services to identify members who are proactive.”
The DMA hopes that, with time, the Data Seal will become a default choice, although Lordan stresses it will not become a requirement of membership. He does argue that it will form part of a step-wise improvement in data management.
“The BSI’s view is that this is a stepping stone towards ISO27001 and that the requirements of the Data Seal will form part of that standard. For some, the seal alone will be sufficient to prove they have got good information security, while for others, it will be a place holder for a couple of years as they work towards getting ISO accreditation,” says Lordan.
In order to gain accreditation, member companies have to address a raft of issues, from hardware and software requirements to staff training and processes. The Data Seal is given to a company following an audit by BSI – Lordan expects this to take two days, typically, at a cost of £900 per day. The full cost of meeting the standard will depend on the member company’s starting point. An annual audit is then required to keep the seal.
One interesting dimension of the standard is Section 12, the Data Elimination Requirement. “In the view of the ICO, once data has been used for its defined purpose, it can be deleted,” notes Lordan.
Almost nobody in the data or DM industry operates a data deletion programme and marketers especially are shy of getting rid of any information they have gained. But the section focuses as much on secure shredding and deletion once systems are being scrapped – one of the main causes of recent data losses – as it does on dealing with old versions of records.
With the Data Seal only just going live, it is too early to say what its impact will be. But Lordan says nobody can duck the issue: “Individuals are sensitive to the use of their data and are concerned about information security. It is getting bigger as consumers are now far more aware of the issue.”