Opinion

Understanding data compliance

3 min read

27 August 2014

From PCI DSS to CDE standards the data market today is rife with myths, jargon and acronyms when it comes to compliance. This is complicated further by data protection and compliance policies involving codes of conduct for IT decision makers throughout the UK.

From payments to data sovereignty, there is a rule or best practice guide for everything, meaning that finding a place to start is challenging. Every UK organisation must comply with the regulations or they could face hefty penalties and suspension of service. Non-compliance is no longer an option.

A recent survey by 6DG has unearthed the fact that almost half (43 per cent) of IT professionals don’t currently understand the compliance legislation when it comes to managing data. It’s no wonder why. From the UK’s Data Protection Act to individual (and varied) company privacy policies, IT professionals could get lost in a sea of paperwork. In fact, over half (52 per cent) of the IT industry specialists surveyed said that they would rather use a third party to manage their data compliance than make sense of it themselves. 

The cost of non-compliance can be substantial. Demonstrating how eager they are to enforce Cabinet Office’s ‘zero-tolerance’ approach to non-compliance, the Information Commissioner’s Office (ICO) issued a fine of £325,000 to an NHS University Hospital Trust after a serious data breach in 2012.

Data sovereignty (where the data is stored) is a key component when it comes to compliance. For some organisations it’s essential that data is stored within the UK or EU, or as prescribed either by law or by internal governance policies. We were pleased to see a large majority (86 per cent) of those questioned believing that data sovereignty is a concern. However, we were surprised to learn that in cases where an organisation outsources to Managed Services Providers (MSPs), there was often a lower level of in-house knowledge when it comes to compliance.

Rather than managing and monitoring the MSP closely, businesses are blindly assuming that their MSP is complying with the relevant regulations. A shockingly high proportion (35 per cent) of those outsourcing to an MSP admitted to not even knowing where their data is housed. u001fWhen a third of IT professionals using an MSP aren’t checking where their data is stored, how can they be sure that the solution is compliant and correct? With businesses relying on cloud providers that might be operating anywhere in the world, it’s time to start taking responsibility and make compliance and sovereignty a business priority.

Organisations need to manage vital financial information, customer details and intellectual property correctly in order to comply with the latest regulations. It is troubling that the majority of IT professionals surveyed have an insufficient understanding of how to make sure they are compliant. There’s clearly been a breakdown in communications between the ICO and the UK’s IT departments, but considering the number of rules out there perhaps it’s not surprising. Something needs to be done to help UK industries make sense of this maze of legislation.

Campbell Williams is group strategy and marketing director of Six Degrees Group.