Lawyer James Mullock explains data management issues and the new
legal requirements
With more than 15 years of using IT systems and nearly 10 years of
e-mail behind them, businesses are starting to drown in data.
At present, many senior management teams are ignoring the problem,
seeing the topic as an issue for their chief technology officers.
However, recent legislation has pushed responsibility and liability
for meeting data regulations to the main board.
For this reason, board members must listen to their technology
heads and empower them to make strategic decisions when it comes to
data management.
Some of the data management steps IT chiefs should make their
boards aware of are:
Data retention
There are numerous regulations relating to how long data should be
retained and it is imperative that all staff know the rules. These
should include statutory retention periods for certain types of
data, industry-specific data retention regulations and data
protection laws.
Businesses should have a formal policy to guide staff on:
- How long different categories of data should be held for
- What steps should be taken before archiving data
- How data should be archived.
Data disclosure
Any data a business holds may be used in evidence against it.
Companies could be asked to disclose data to either the person the
data is about (the data subject), or to the authorities (such as
the police or the Environmental Agency under the Regulation of
Investigatory Powers Act 2000) within a time limit. Many firms are
ill-prepared to do so. For example, the time limit for disclosing
data to a data subject under the Data Protection Act 1998 is 40
days.
Businesses need to ensure they understand data disclosure
requirements, that staff only retain essential data and that they
know what to do if a demand for data disclosure is received.
Data processors
Most businesses outsource some element of their business processing
operations. Data protection laws oblige businesses to take
responsibility for the security of staff, customer and supplier
data when these are passed to data processors.
By law, security service levels must be agreed in writing with
service providers. Where a service provider is based outside of
Europe, additional data transfer rules apply. Businesses are
advised to regularly audit service providers to ensure they adhere
to legal requirements not only now, but also in the future.
Database review
Already well publicised, new laws from the European Commission
regarding "opt-in" consent for certain e-mail marketing will come
into force in the UK on 11 December. These, along with existing
marketing laws, mean that businesses should ensure that their
customer relationship management databases provide:
- Sufficient detail to enable a quick assessment of what type of
client consent has been obtained and for what type of activity
- A date highlighting when they obtained this information
- A way of recording whether, from a legal point of view,
sufficient information has been provided and consent
obtained.
Staff policies
Most businesses have implemented some form of IT policy that goes
some way towards helping them address data management issues.
However, few update these policies frequently enough to ensure they
address new technologies.
For example, how many firms have issued guidelines on instant
messaging, or provided an explanation on whether using Wi-Fi to
gain access to certain categories of data is unsuitable and
insecure when they are off-site?
James Mullock is a partner in IT and telecoms
at law firm Osborne Clarke