IT should warn the board about data laws

Lawyer James Mullock explains data management issues and the new legal requirements.

Lawyer James Mullock explains data management issues and the new legal requirements

With more than 15 years of using IT systems and nearly 10 years of e-mail behind them, businesses are starting to drown in data.

At present, many senior management teams are ignoring the problem, seeing the topic as an issue for their chief technology officers. However, recent legislation has pushed responsibility and liability for meeting data regulations to the main board.

For this reason, board members must listen to their technology heads and empower them to make strategic decisions when it comes to data management.

Some of the data management steps IT chiefs should make their boards aware of are:

Data retention

There are numerous regulations relating to how long data should be retained and it is imperative that all staff know the rules. These should include statutory retention periods for certain types of data, industry-specific data retention regulations and data protection laws.

Businesses should have a formal policy to guide staff on:
  • How long different categories of data should be held for

  • What steps should be taken before archiving data

  • How data should be archived.

Data disclosure

Any data a business holds may be used in evidence against it. Companies could be asked to disclose data to either the person the data is about (the data subject), or to the authorities (such as the police or the Environmental Agency under the Regulation of Investigatory Powers Act 2000) within a time limit. Many firms are ill-prepared to do so. For example, the time limit for disclosing data to a data subject under the Data Protection Act 1998 is 40 days.

Businesses need to ensure they understand data disclosure requirements, that staff only retain essential data and that they know what to do if a demand for data disclosure is received.

Data processors

Most businesses outsource some element of their business processing operations. Data protection laws oblige businesses to take responsibility for the security of staff, customer and supplier data when these are passed to data processors.

By law, security service levels must be agreed in writing with service providers. Where a service provider is based outside of Europe, additional data transfer rules apply. Businesses are advised to regularly audit service providers to ensure they adhere to legal requirements not only now, but also in the future.

Database review

Already well publicised, new laws from the European Commission regarding "opt-in" consent for certain e-mail marketing will come into force in the UK on 11 December. These, along with existing marketing laws, mean that businesses should ensure that their customer relationship management databases provide:
  • Sufficient detail to enable a quick assessment of what type of client consent has been obtained and for what type of activity

  • A date highlighting when they obtained this information

  • A way of recording whether, from a legal point of view, sufficient information has been provided and consent obtained.

Staff policies

Most businesses have implemented some form of IT policy that goes some way towards helping them address data management issues. However, few update these policies frequently enough to ensure they address new technologies.

For example, how many firms have issued guidelines on instant messaging, or provided an explanation on whether using Wi-Fi to gain access to certain categories of data is unsuitable and insecure when they are off-site?

James Mullock is a partner in IT and telecoms at law firm Osborne Clarke

Read more on IT risk management