Massive policy changes in data protection hold keys to business opportunity

This past year, 2010, will be remembered as an important year for data protection, with the highest level of regulatory activity for more than 40 years.

This past year, 2010, will be remembered as an important year for data protection, with the highest level of regulatory activity for more than 40 years.

In 2011, many of the recent and coming changes will be translated into black letter law, making regulatory compliance a bigger challenge than ever before.

But, at the same time, these game changers, present massive opportunities for the IT industry, says Stewart Room, partner at law firm Field Fisher Waterhouse.

"IT companies need to stay on top of these changes to retain their credibility and to develop products that business organisations will need to cope with these changes," he says.

Both the IT industry and other business need to look to the emerging trends to be able to anticipate the requirements that will become enshrined in law in the coming year.

There is business advantage to IT companies in producing products that will enable compliance and to all other companies in deploying them quickly, says Room.

It is important to map products to the emerging frameworks as tightly as possible, he says, because there is an equal business risk of overstating a product's capability.

Penalties mean business

The IT industry needs to recognise that regulation and law can be a driver of change, and, says Room, business opportunity lies in identifying how and when that is likely to happen.

In the UK, this can be done by looking at the enforcement notices and punitive actions taken by the Information Commissioner's Office (ICO).

The first monetary penalties for data protection failures in November, for example, highlight the importance the ICO attaches to ensuring electronic communications that include personal information, reach the intended recipients.

The ICO penalised Hertfordshire County Council £100,000 for breaching the DPA twice in two weeks, by faxing sensitive personal information to the wrong recipients.

This is a good example of the kind of things IT companies should look to for market opportunities, says Room, so they can go to the market and say they have that problem covered.

By looking through ICO enforcement notices, guidance and other publications, he says IT companies should be able to identify trends in expectations that are likely to become legal requirements in future.

European framework

Across Europe, the European Network and Information Security Agency (Enisa) has a similar role to the ICO in building future legal frameworks, and like the ICO, can be useful in helping the IT industry develop product requirements and other organisations to build business cases for IT investments.

As pressure increases on the UK to align its legislation with European Union directives, these too are a rich source of potential product design requirements.

In November, the European Commission published its plan to amend the Data Protection Directive.

"The amendment plan tells us that we are going to see new data protection principles, for accountability, privacy-by-design, privacy enhancing technologies, privacy impact assessments, data portability, data minimisation and a right to be forgotten," says Room.

The EU's Citizens Right Directive, which the UK government has opened a public consultation on translation into law, includes requirements for websites to track user behaviour through 'cookies' only with explicit consent, and the EU is promising to introduce a pan-European breach disclosure regime covering every sector of the economy, to complement the one that comes into effect in May next year for the electronic communications sector.

All these changes in legal frameworks will require businesses to prove planning for IT security from the very start of projects, says Room, and represent a potential opportunity for the IT industry to develop the technologies and tools businesses will need to enable and to prove regulatory compliance.

As well as driving change, regulation and law often responds to change, mostly to behaviour that it seeks to correct, says Room, but the IT industry should also recognise that it has a role to educate regulators on new technologies.

In this way, he says, the IT industry can seek to influence future regulation and laws. The main reason encryption has become a de facto regulatory requirement is that regulators are familiar with it as an effective data protection technology.

By educating regulators about new and emerging technologies, Room believes the IT industry can help broaden the range of technologies recognised by regulators as supporting best practice.

"Many in the IT industry will soon be grandstanding about the massive changes that are on the way, but the clever ones will be getting supportive technologies out now, ahead of the pack," says Room.

In addition legal frameworks, government policy is another good source of information the IT industry can use to win business benefit.

In October, the National Security Strategy confirmed cyber attack as a top priority for the UK government.

In a joint foreword to the strategy, prime minister David Cameron and his deputy Nick Clegg said there needed to be a "radical transformation" in the way that Britain thought about and organised its national security.

"This represents a blank canvass and a good opportunity for the IT industry," says Room.

Read more on IT legislation and regulation