Comment Article
Data and the law - are you compliant?
The Data Protection Act 1998. The Markets in
Financial Instruments Directive. The Payment
Card Industry Data Security Standards. The
Copyright, Design and Patents Act 1988. The
Human Rights Act 1998. The Freedom of
Information Act 2000. The Financial Services
Authority. Sarbanes Oxley 404.
Just a few of the UK’s, Europe’s and even US’
laws that have been passed that impact how you
have to deal with data. Sure, not all of these
may apply to you – but the majority will, and
while looking through the mountain of various
documents that constitute these laws, it
becomes apparent that many of the needs of
each law are not exactly compatible with the
needs of others.
And we also have to take in to account the fact
that it is not just laws like these that impact how
we deal with data. How about regulatory filings
to HMRC or Companies House? How about the
need for us to share information with our
suppliers and customers in a manner that meets
our own security concerns? How about industry
standards such as ISO17799 and ISO9000, or
more specialised standards such as ISO2000
based on ITIL? How about the use of electronic
data interchange (EDI), and the various
standards hidden under here, such as AS/2 or
EDIFACT?
Managing data is a perennial problem, but is
becoming more critical as data volumes grow,
and users become more proficient at blending
their work and leisure environments. With data
growths being quoted as doubling anywhere
from weeks to months and still accelerating, how
we deal with data against the backdrop of such
legal and market regulation means that we have
to take a long, hard look at what we are doing.
Lip service to the law is not recommended.
Although the full force of the law is not generally
applied, the possible financial implications can be
hard. Take, for example, the UK’s Data
Protection Act (DPA). Although the actual fine
for non-compliance is capped at £5,000, the
© 2010 Quocirca Ltd http://www.quocirca.com
By Clive Longbottom, Service Director, Quocirca Ltd
impact of other sanctions the Information
Commissioner’s Office (ICO) can take can far
outweigh this. For example, once a company
has broken the DPA, it can be forced to create a
plan that details the steps it will take to ensure
such a breach does not happen again. If a
company breaks the DPA twice, the ICO can
assign a government auditor who will investigate
and create a legally binding plan the organisation
has to put in place within agreed timescales. But
far worse than that can be the impact on brand
when the news that customer records have gone
astray hits the news. Also, although the DPA can
seem pretty toothless as a financial hit in itself,
other professional bodies can take things further.
This was shown in a big way when the
Nationwide Building Society in the UK had a
laptop containing user details stolen from an
employee’s home. This was a possible breach of
the DPA, but the Financial Services Authority
took over and fined Nationwide nearly £1m for
perceived lapses in data security.
However, copyright can be far worse. Although
the majority of organisations will realise that
illegally downloaded music and video files will
breach copyright, few are aware of how much
file downloading takes place within the business
– generally to a local disk before being stored on
the user’s device. Unfortunately, ignorance is
not bliss, and the organisation stands just as
much chance of being prosecuted for such
copyright breach as the individual does. With
courts around the world taking copyright
breaches very seriously, it is a necessity to
understand the possible issues and potential
solutions to meet such problems.
But the big problem for an organisation looking
at how best to deal with data compliance issues
is the choice of solutions. Sure, you can go to a
systems integrator and they will probably be able
to offer a project to address your DPA needs.
Then, they’ll also be able to give you an ISO9000
solution and perhaps strap on an ISO17799
package. But, unless each of these separate
+44 118 948 3360
projects has then been fully integrated, you find
that each one breaks the needs of the others.
For example, let’s look at an accredited ISO
group needing to do an audit. In they come, and
you lead them through the solution that has
been put in place for that ISO standard.
Unfortunately, you will probably be showing an
outside group customer data that the customer
has not agreed can be shared in this way.
Therefore, you are in breach of the DPA.
Likewise, the police come in wanting to look at a
specific problem – let’s say money laundering.
They will have to have a specific warrant that
states exactly what it is they are looking for. If
you provide beyond that level of information,
you’re probably in breach of one of the other
laws.
© 2009 Quocirca Ltd http://www.quocirca.com
Even worse – imagine that some group, say the
Serious Organised Crime Agency (SOCA), comes
in needing to investigate a range of issues where
they believe there is a threat to national
security. It may well be that this isn’t just down
to a single definable area within the business –
so your DPA, Freedom of Information (FoI),
ISO17799, ISO9000 and so on solutions are
suddenly completely useless. The Boys in Blue
want information, want it fast, and want it across
the whole of your organisation. If you are in a
high value trade with high value customers,
suddenly finding that you have no option but to
make customer names, addresses and financial
details available to the authorities, even though
their warrant doesn’t specifically cover it, is not
likely to go down well at all.
But, there are ways around all of this, based on
structured data storage and a concept called a
Compliance Oriented Architecture (COA). The
second article in this mini-series will look at what
the issues are within current data architectures,
and at some of the approaches that will help to
establish the foundation for creating a COA. The
final article will cover the COA itself – what is
really involved, and how to go about putting one
in place.
+44 118 948 3360
 About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2010 Quocirca Ltd http://www.quocirca.com +44 118 948 3360