The problem with the Data Protection Act, from a practical point of view, and in contrast to US-originated compliance standards like PCI DSS, is that the DPA does not contain a list of detailed, specific requirements that every organisation can decide are either applicable or not applicable, and, if they are applicable, tick off as having been complied with.
The problem with a tick box approach is that, where data security is concerned, one size definitely does not fit all. Threats evolve, and not all vulnerabilities are common. Compliance can be expensive and, if it is to be enforced, needs to be backed by an adequately resourced and aggressive regulator. The UK’s ICO is neither adequately resourced nor aggressive. However, it will pounce on obvious negligence, particularly in the public sector. The trick with the DPA, therefore, is to keep out of trouble, not to look for a detailed compliance checklist.
Complying with the DPA is a process that can be broken down into three discrete stages. The first is simple: Do those things that the DPA specifically requires.
The DPA specifically mandates all organisations that intend to process personal data to:
- Register as a Data Controller with the Information Commissioner’s Office (ICO) (clause 18) with a description of the data the organisation will process.
- Keep that notification up to date. Renew it annually and ensure the data processing description is still accurate.
- Publish a ‘Fair Processing Notice’, which describes what data is being processed by the Data Controller (clause 7).
- Operate a ‘Subject Access Request’ procedure (also clause 7), which enables any individual about whom data has been processed to who has access to it, in order to find out what it is and/or to require it to be corrected or, under some circumstances, deleted.
Once those tasks are completed, the second phase of DPA compliance activity is about keeping out of trouble. Keeping out of trouble, in this context, means taking appropriate steps to protect personal data, in line with DPA Principle 7, and doing four specific things:
- Ensuring all portable devices that could conceivably -- under any circumstances -- contain personal data are encrypted. This encryption has to be to a specific standard: FIPS 140-2. The loss of an unencrypted laptop, hard drive, USB stick, backup tape or CD that contains a selection of personal data will get the organisation in trouble. There will be press coverage and brand damage, upset individuals and, possibly, action by the ICO.
- Ensuring websites that might contain personal data -- irrespective of whether they are e-commerce or straightforward information sites -- are secure. At the very least, this means conducing penetration tests against all Web applications handling personal data and then taking the identified remediative steps necessary to secure those sites and applications.
- Ensure network security is adequate. This means fixed networks should be subject to penetration testing, wireless networks should be WPA2 secured, there should be regular sweeps for rogue wireless access points and appropriate access control rules, and technologies should be in place, particularly for high-value personal data such as medical, religious, racial or similarly sensitive information.
- Staff should be aware of their DPA responsibilities. This means key staff should have their DPA compliance responsibilities formally included in their job descriptions, the corporate disciplinary policy should allow for dismissal in cases where an individual breaches the DPA or the company's Data Protection Act policy, and all staff working with personal data should be subject to at least basic training in their DPA responsibilities. There are good e-learning packages available that enable corporations to apply a consistent level of training across the organisation and to maintain evidence as to which members of staff have successfully completed the required level of training.
You might think you’ve done enough to comply with the DPA once you’ve completed either the first or the second phases of activity described above. In fact, you will only have done enough to keep mostly out of trouble.
You’ll only know you’ve done enough to comply when you have identified all the personal data held within the organisation, carefully analysed all the risks to it (while ensuring you have adequate measures in place to keep the data current and for no longer than required) and rolled out controls to reduce those risks to a minimal level.
While organisations might find this approach more challenging, it is more likely to protect personal data than one that relies entirely on a standardized list of controls; information security risks mutate and evolve more quickly, and effective defences against data breaches have to be similarly alert. This is, of course, the core premise of ISO/IEC 27001, the best practice information security management standard. However, compliance with ISO 27001 is not, on its own, enough. For example, Epsilon, which was recently subject to a massive data breach, is ISO27001 compliant.
Compliance of virtually all sorts is a nuanced pursuit: Every day that you avoid a data breach, you will have done enough to comply with the DPA; on the day you suffer a breach, you will not have done enough. Intelligent risk mitigation is about identifying those possibilities and eliminating them before they are exploited. From the data subject’s point of view, this is a far better approach than one that allows his or her data to be stolen, but excuses the custodian because it had ticked all the boxes.