There is consensus among members of The Corporate IT Forum that while proposed changes to data protection regulation might lead to greater consistency in the handling of personal data across the EU, ratification without any amendment "could add greater complexity and/or effort for data controllers" – particularly for SMEs – if the changes are mandated in some three years’ time.
Members are using publication of this formal draft "as an opportunity to review current data protection compliance against the key changes" proposed.
Specifically, one member recommended: "Consider the practicality of implementing the 'right to be forgotten' now, especially in customer and marketing databases, as retro-fitting could be more expensive than early incorporation."
Data protection compliance a high priority
However, with "meeting regulatory requirements" and "data management, quality and protection" consistently featuring among top-five operational goals and IT strategies for members (Strategy Survey 2012), data protection compliance is clearly an ongoing high priority.
But as the threat landscape changes and users become more savvy to the value of the assets and data they use, keeping one step ahead is a continual challenge.
Security Think Tank: How to prepare for EU data protection rules
The latest survey from the Forum’s Information Security Service (tISS) revealed nearly 100% of participating organisations are focused on maintaining compliance with the UK Data Protection Act and supporting their work with formal IT policies containing acceptable use policies (AUP) for equipment and services and controls around data – including portable computing and removable media controls, and guidelines for personal use of social networking sites and technologies. A high majority provide "user awareness training" as part of an employee’s induction and then regularly throughout their career.
Tips for effective data protection
Top tips and key recommendations from the recent tISS Security Strategies and Data Loss Prevention workshop output reports include:
- Identify what categories and types of data are at risk and consider protective marking;
- Have clear policies signed (and re-signed) by individuals, and supported by appropriate technology to aid maintenance of policy awareness;
- Control the use of removable media – use policies and user input to help define the rules for tools;
- Use tools to segregate personal and corporate data on mobile devices, and wipe the latter if and as required;
- Although the usability of digital rights management (DRM) is not straightforward, it is easy to apply simple controls, such as copy and paste and printing prevention to PDF files.
Ollie Ross is head of research at The Corporate IT Forum
This was first published in March 2012