Mounting public awareness of the way personal data can be abused means that companies need to make sure their handling of sensitive information is beyond reproach

Widely reported government data breaches have brought the issue of information security to the fore, but that doesn’t mean companies have nothing to worry about.

‘While the government is being lambasted for quite public and regular breaches, they are certainly not alone,’ says Paula Barrett, head of the data protection group at law firm Eversheds. She adds that cases such as the theft of an unencrypted laptop from Marks & Spencer, which held the personal information of 26,000 employees, have shown that corporate Britain is also vulnerable to the problem of accidental leakage of sensitive data and the bad publicity that inevitably follows.

Of course, if you don’t store data in the first place, you can’t lose it. Martin Bysh, MD of dating website operator Makefriendsonline, says all payments to his company are handled by processor Paypoint.net, while the only data stored by Makefriendsonline is the user’s nickname and personal details (such as height, religion and skin colour) which do not identify the individual.
 
‘There’s a very clear split between recognisable personal data and the rest,’ says Bysh. ‘If we see that people have used their real name as a nickname, we often shut down the account and write to them, suggesting they choose another one.’

As a result, Makefriendsonline doesn’t need the complex IT infrastructure and security tools that it would require to safeguard credit card details, Bysh states.
 
‘The key thing is to recognise that [data protection] is your responsibility. It’s not just a moral obligation [of the business] but a legal requirement,’ he says.

Not my problem

Such an attitude is rare, according to a Paypoint.net survey. Some 99 per cent of respondents from 350 UK-based online businesses do not believe fraud resulting from data breaches is their responsibility, pointing the finger at banks, credit card issuers or payment service providers.

Barrett feels that companies are still ‘struggling’ to get to grips with the Data Protection Act 1998, despite the fact it’s been around for ten years.

‘We will see further regulation: technology has moved on apace and in particular the use of the internet,’ she argues. ‘There is information gathering going on now that was never imagined ten years ago.’

Richard Webster is marketing director at DLG, a company that collects personal information from consumers through telephone conversations, printed questionnaires or online competitions, then sells that data on to third parties. Legally, the business depends on the fact that people volunteering their information agree for it to be used in that way.

‘It’s not in our interests to try and dupe people into entering their details under false pretences – quite apart from the fact it’s against the law,’ says Webster. ‘Our intention is to maintain an ongoing communication so we can maximise our revenues from each individual.’

Opting out

As required by legislation, consumers can unsubscribe at any time from all communication from DLG or its clients. As a result, the company strives to ensure that no one receives inappropriate material, claims Webster.

‘All the law boils down to is being open and honest with people,’ he adds.

Like Bysh and Webster, Barrett feels
that data protection legislation does not place an undue burden of responsibility on business. Nor has it been very strictly enforced, with many marketing list providers in particular getting away with non-compliance. That may change, she adds, with increasing public awareness of the issue and the relevant regulator, the Information Commissioner’s Office (ICO), set to gain new powers.

The ICO is seeking the power to levy fines of up to ten per cent of turnover for serious and reckless breaches resulting in harm to individuals,’ she says.

Though these cases will be rare, Barrett adds that some non-compliant companies are already feeling the pain in the form of reduced valuations. ‘You may think your customer database is a valuable asset in an M&A discussion, but no acquirer wants the cost of issuing notices and gathering consents,’ she says. ‘There are some real price reductions that result from a lack  of compliance.’
 

See also: Compliance deadline looms on Data Protection Act