Data protection laws are failing to deter companies from illicitly acquiring and selling customers’ details, according to the House of Commons’ justice select committee. Since the strategy doesn’t seem to be working, it looks like time to try other approaches.
The parliamentary committee’s report, published last Thursday, urges ministers to bring into force the power to give prison sentences to those found guilty of data offences. It also welcomes the government’s plans to ban car insurance referral fees, which have been blamed for pushing up premiums.
Both are worthy causes, and are needed to spark improvements in the performance of companies handling data – as well as public perceptions of the industry. But the committee has missed out on a chance to promote good practice by publicising the international standards that exist to safeguard data within organisations, such as the ISO 27000 series of certifications.
The Information Commissioner does not currently have the power to audit companies’ data management processes. But the market does have the power to demand that companies audit themselves, and should start insisting on it.
Certifications like those drawn up by ISO should be worn as a badge by suppliers, and marketers should be looking for it when they choose companies to handle their customers’ data. Data companies might argue that undergoing an audit is an expensive process, but that investment can be a worthwhile one if the resulting credentials are valued by the market.
By way of comparison, look at what extra sales and branding opportunities are generated by companies that carry a Fairtrade or Soil Association logo. As the world’s foremost standards body, ISO’s standards are recognised across numerous business sectors and around the globe. Being in possession of a certificate when the competition is not should be a USP, and it should be the first thing a prospective client asks in any business conversation about data security.
The justice committee wants to explore increasing the Information Commissioner’s inspection powers, without adding to the regulatory burden on businesses. By communicating the importance of existing standards, the data industry can go a long way towards doing this for itself, and good practice will be a marketing asset as a result.