Policy Management Software
Once again, all eyes are on the public sector on the issues of data protection and privacy, with the latest (record) fine from the ICO reflecting the sensitivity of the information involved.
However, these problems extend further, into those private sector businesses that also provide our services and hold our information; businesses such as Solicitors and Barristers, Estate Agents, Pension Firms, Accountancy Practices; businesses who hold as much, if not more, of our sensitive information than our local council. This is an area in which the Metacompliance partner community can add real value in improving organisational awareness of Data Protection issues.
Many of these organisations have no concept of the behavioural responsibility they have for data protection. They view privacy and information security as an IT problem, which amounts to securing the firewall, updating the anti-virus, essentially keeping the bad guys out. They would never think that an inadvertent conversation with a colleague, or in the case below a diligent report back to the office, can be a serious breach of privacy and data protection laws.
Case in point, a telephone conversation I overheard on a train out of London this week. I’ve saved you the full extent of my “rant,” but here is a snapshot of the information I, and 30 odd other people, are now aware of:
- The names of the defendants in a mortgage arrears case
- The address of their property
- The name of their estate agents
- The amount outstanding on their mortgage, and how much arrears they owe
- The amount the house is valued for
- The mother’s occupation and monthly net earnings, including how much child support she receives for her two daughters, aged 10 and 14
- The fact that the father is out of work, has mental health issues, however refuses to claim benefits as he won’t admit to his health issues
- The mother has a restraining order out against the father
- The outcome of the case ie. how much longer the judge has granted that this desperate family can remain in the house before paying the arrears or selling
The regulators are aware that this is a problem. Representatives of the ICO have, in recent times, been very vocal in their desire to push for an extension of their powers to the private sector to combat lax attitudes to data protection.
But, it’s not the fines that are the issue for the private sector, it’s the reputational damage. A fine is a one off cost. Incident investigation costs, whilst extensive, are finite. Even legal costs can be quantified and belts tightened to absorb these. However, the loss of revenues due to a breach of privacy and data protection laws is infinite, can extend far into the future, and could very easily shut an SME down.
The MetaCompliance partner community have evolved the required skill sets needed to help professional services companies change attitudes to data security issues. With Policy Management Software such as MetaCompliance, our partners can review and update key policies, can recommend methods for distributing to employees and can even carry out adhoc, face to face training on information protection, privacy and data protection.
Any company, public or private, will be found seriously wanting, if lack of user awareness has resulted in data breach involving sensitive information. The only way to combat a lack of user awareness is through ongoing education and communication. Most organisations have natural inertia that restricts the type of change necessary to avoid the risks of compliance failure.
By using an outside organisation to act as a catalyst, management can enable the implementation of the continual awareness communication programme that is necessary to change employee behaviours towards privacy and data protection. Third party specialists can provide the expertise and knowledge to analyse the information generated by the Policy Management and Risk software and remediate against this to maintain a culture of privacy and data protection for their customer.
All our MetaCompliance partners have seen a significant increase in the levels of interest in compliance management from their customer base. Professional services organisations looking to start the process of culture change in relation to data protection and computer use policies can link up with our partner community by contacting me on email@example.com.