From PCI DSS to CDE standards the data market today is rife with myths, jargon and acronyms when it comes to compliance. This is complicated further by data protection and compliance policies involving codes of conduct for IT decision makers throughout the UK. From payments to data sovereignty, there is a rule or best practice guide for everything, meaning finding a place to start is challenging. Every UK organisation must comply with the regulations or they could face hefty penalties and suspension of service. Non-compliance is no longer an option.
Last year, a survey by 6DG unearthed the fact that almost half (43%) of IT professionals didn't understand the compliance legislation when it comes to managing data. It's no wonder why. From the UK's Data Protection Act to individual (and varied) company privacy policies, IT professionals could get lost in a sea of paperwork. In fact, over half (52%) of the IT industry specialists surveyed said that they would rather use a third-party to manage their data compliance than make sense of it themselves.
The cost of non-compliance can be substantial. Demonstrating how eager they are to enforce the Cabinet Office's zero-tolerance approach to non-compliance, the Information Commissioner's Office (ICO) issued a fine of £325,000 to an NHS University Hospital Trust after a serious data breach in 2012.
Data sovereignty (where the data is stored) is a key component when it comes to compliance. For some organisations it's essential that data is stored within the UK or EU, or as prescribed either by law or by internal governance policies. We were pleased to see a large majority (86%) of those questioned believed that data sovereignty is a concern. However, we were surprised to learn that in cases where an organisation outsources to Managed Services Providers (MSPs), there was often a lower level of in-house knowledge when it comes to compliance.
Rather than managing and monitoring the MSP closely, businesses are blindly assuming that their MSP is complying with the relevant regulations. A shockingly high proportion (35%) of those outsourcing to an MSP admitted to not even knowing where their data is housed. When a third of IT professionals using an MSP aren't checking where their data is stored, how can they be sure that the solution is compliant and correct? With businesses relying on cloud providers that might be operating anywhere in the world, it's time to start taking responsibility, making compliance and sovereignty a business priority.
Organisations need to manage vital financial information, customer details and intellectual property correctly in order to comply with the latest regulations. It is troubling that the majority of IT professionals surveyed have an insufficient understanding of how to make sure they are compliant.
There's clearly been a breakdown in communications between the ICO and the UK's IT departments, but considering the number of rules out there perhaps it's not surprising. Something needs to be done to help UK industries make sense of this maze of legislation.
Data compliance tips
Whilst we're waiting for this to happen, here are my top tips for becoming data compliant:
1. Ask your Managed Services Provider how they deal with your data.
2. Keep up to date with the latest legislation and changes, trying to understand how they impact the way you do business.
3. Manage your MSP, keep asking what improvements they are making and how this will impact you and your data.
4. And last, but not least: Always know where your data is being stored. Always.
These tips simply scrape the surface of a complicated environment. Whether you're a customer or a provider, everyone has the responsibility to ensure they are complying with the latest regulations. After all, compliance regulations exist for a reason.
- Campbell Williams is Group Strategy & Marketing Director at Six Degrees Group (6DG)