Companies should see compliance with the Data Protection Act (DPA)
as an opportunity to boost business and not a legal hurdle.
That was the message from the government's information
commissioner, Elizabeth France, and a panel of experts at the
Information Security Solutions Europe 2001 conference.
With all exemptions to the DPA ending on 24 October, France said:
"Data protection is taking centre stage as citizens become more and
more aware of the issue. This is not just a UK preoccupation.
Gaining the confidence of individuals through data protection is
seen as very important if e-commerce is to work. Data protection is
good for business."
Bojana Bellamy, global head of data protection compliance for
Accenture, agreed that data protection was not the obstacle to
e-commerce that many businesses believe it to be.
"I have no doubt that e-commerce would be hindered without data
protection," she said. "It is not a barrier to e-commerce and is
crucial in gaining the trust of customers and staff."
Bellamy pointed to two major companies, AOL and IBM, that have seen
the importance of the issue by not accepting advertising on their
Web sites for any firms that are not DPA-compliant. She also called
on all businesses to take data protection seriously at senior
level.
"It requires top management commitment and there must be someone
internally responsible in the form of a compliance officer,"
Bellamy added.
Bellamy called it "essential" for businesses to audit the data they
hold to find out who they have data stored on, what that data is
and why it is needed.
Data compliance officers should preferably be trained and
experienced, and must be in touch with legal developments. German
companies are already required by law to employ a compliance
officer.
Speaking on the possibility of statutory enforcement, France said:
"The UK government does not think it is necessary to force all
businesses to have a data protection officer. We feel it is unfair
on small companies, and the businesses we discussed this with were
generally not in favour. However, more and more businesses are
looking for data protection compliance officers."
The compliance deadline for the DPA is 24 October and any firms
that do not comply by this time will leave themselves open to
prosecution. The information commissioner made it clear that
company privacy statements posted on Web sites are coming under
particularly close scrutiny.
She said: "We are checking privacy statements on company Web sites
to check they are doing what they say they are doing. If you have a
privacy statement you must be adhering to it. Having a statement
and not complying with it is worse than not having a statement at
all."