The sixty-four pound data protection question

As milestones go, this is not one that many in the data industry will want to celebrate – the 1,000th data breach being notified to the Information Commissioner’s Office.

Number 1,007 was notched up just as the organisation responsible for the single biggest data loss yet – HM Revenue and Customs – was getting it wrong again by accidentally sharing personal and financial data between neighbours. While its first loss of two disks holding 25 million records and the recent printing of the wrong people’s information in tax credit mailouts were both examples of cocking up, they also serve to underline that we are a long way from treating data as a valuable asset. How would an organisation feel if it had accidentally inserted £64 every one of hundreds of mailings?

Yet that is what the Ponemon Institute currently estimates that a data loss or data security breach costs to rectify on average. So there is clearly a gap between the good intentions and best practice being spoken about and claimed at the top of UK plc and the perception of data’s importance lower down the chain.

After all, physical mailings are seen by multiple workers during the production process, with spot checking of quality standard practice in most printers. Yet nobody seems to have picked up that the information on Mrs Smith had been merged into a letter to Mr Jones.

What is worrying is that the driver of that oversight is one that is likely to increase and therefore lead to more such problems – cost reduction. Government departments and agencies are obliged to use the lowest cost suppliers they can find. Commercial organisations are following suit to keep their own overheads down.

Those rock bottom prices can only be achieved if you cut out elements of the process that look nice-to-have, rather than must-have. Checking data quality and merge-purge processes looks like an optional extra and since it involves labour time, represents what looks like a cost that can be cut.

Much of what ought to be done around data protection and data security is currently viewed the same way. Instead of seeing the business case from the perspective of risk reduction and compliance, data management can end up looking like an overhead built in when times were bad.

It might cost £64 to rectify every data loss. But that is only a theoretical cost and a risk that lies somewhere in the future. The way most companies look at it is that, if it is costing 0.64p to double check data security and processing, why not cut out that expense? Let’s hope they do not end up paying the price.