Whenever I speak to people about Risk Management these days, data protection is always one of the risks I mention, and I am increasingly concerned at the number of times one or more of five popular myths pops up.
These are leading a lot of otherwise good managers to fail to take some of the necessary steps to managing this risk so as to keep their businesses safe.
Myth No.1: “It’s an IT Matter.”
This is usually followed by an invitation to speak to their IT manager, whether within their business or an outside contractor. Here are five reasons why it is wrong:
1. The Human Element. Obviously it is important to have the right software to protect your data from hackers, viruses and malware, but the Information Commissioner’s Office have reported that in the last two years more than 60% of incidents reported to them did not involve any IT failure. Most breaches were caused by human error. Except for those where “error” would be the wrong word, since deliberate wrongdoing was a significant element in many cases. This means it is a matter for your HR manager rather than your IT manager.
2. What IT? It is also important to recognise that most businesses hold and/or process data on lots of devices other than the traditional mainframe, desktop or even laptop computers. The range of items such as tablets, mobile ‘phones, storage devices and planners is growing in number and variety. Most are outside the control of the head of IT in the business.
3. How is data processed? Apart from the obvious data processing activities which take place in the course of business, a lot of data is passed around in various ways, intentionally or inadvertently every day. Some will be communicated verbally, either face to face or by ‘phone. Some will be on paper. The paperless office is not as common as we like to think, if we include everything coming off the printer and all the handwritten notes we all use.
4. Tweet Tweet! We have all noticed how often celebrities get into trouble through unwise comments on the social media. We less famous people also need to be careful. We may actually use such media in the course of our work, but we need to take into account the times we blog or tweet about our work, or just about our day, and find ourselves passing on information or comment that could get us into all sorts of trouble.
5. Where does the buck stop? In Law, the responsibility for data security rests with the business owner or whoever is in overall charge of the business. That person may have sanctions against employees or others but the buck stops at the top. The task may be delegated but the responsibility cannot be.
Myth No.2: “It’s Outsourced!”
Nowadays many businesses outsource a variety of services. IT is one of the most popular, but others include HR, payroll, accounting, maintenance, and even office management. There are many good reasons for doing this, but beware of assuming that this removes all your worries. Here are four of them:
1. The Law. Although you can outsource the function, you cannot get away from your legal responsibilities, as mentioned earlier.
2. Your Image. It is likely to be your reputation that gets damaged if it turns out that a contractor has failed to keep you clients’ or employees’ data safe.
3. The Cloud of Uncertainty. When someone tells you your data is safe because it is “in the Cloud” you should ask what that means. It will be on someone’s computer somewhere. How secure is that? Does your contractor know?
4. The EU. European Union legislation requires all personal data of EU subjects to be held within the EU or in a system which would comply with EU Law if it had been in the EU. Most U.S. companies do not comply with EU Law, not even officially!
Myth No.3: “It’s the Company’s Problem.”
Many people at all levels believe that any fines and penalties will be incurred by their employer, regardless of who has caused the data breach, or how. Here are three reasons why it is not:
1. The Law. Individuals at all levels can be prosecuted and fined or even gaoled if it can be established that they had knowingly disregarded policies and procedures put in place by their employers to protect data. Even former employees are not exempt.
2. Survival. If your employer suffers a financial loss or a loss of business due to a data breach, the profitability or even viability of the business could be at risk. How safe would your job be?
3. Your CV. Your career could suffer if your present or potential future employers believed their data was not safe with you.
Myth No. 4: “It’s a Box-Ticking Exercise.”
There are many things we are all required to do to comply with all kinds of legislation and the Data Protection Acts certainly impose a lot of requirements on everyone. This is also true of the Health and Safety at Work Acts and many others. However, just as I hope you would not want to be the cause of someone’s injury or even death, I hope you would not want a lot of information about your employees or your clients to get into the wrong hands. Apart from the power of the ICO to prosecute you, there are three other good reasons to keep data safe:
1. Civil claims. Even without the DPAs you could always have been sued for negligence or breach of contract if clients believed they had suffered losses as a result of your failure to protect their data.
2. Your reputation. Potential clients and employees might not want to know you if they do not trust you with their data.
3. The consequences. You do not know what would be the consequences if your data got into the wrong hands. Who would they pass it on to?
Myth No. 5: “It’s Only for Big Businesses.”
It is true that there are different legal requirements for different sizes and types of business, but there are two things even the owners and managers of even the smallest of businesses need to remember:
1. The Law. Any business, even a sole trader, can be prosecuted or sued for losing a client’s data. One sole trader was fined £500 in 2012 because an unencrypted hard drive was stolen from his car, putting at risk the data of 250 clients.
2. Trust. Everything said previously about reputation applies to any business.
So whoever you are, whatever size or type of business you are in, you need to forget the myths and take a long hard look at the facts. Then think how you are going to protect your data. Before it is too late!