Data protection: don't get caught out

First there was the millennium bug, then euro compliance. Now comes the latest threat to your sanity and workload: the 1998 Data Protection Act.

"This Act represents the most widespread piece of IT legislation ever, and will have as significant an impact on businesses as the preparations for year 2000 compliancy," warns Paul Vlissidis, head of information security and risk at the National Computing Centre (NCC). "Organisations which ignore it do so at their peril."

Despite this warning, it seems that companies are still ignoring the Act, four months after it became law. The NCC recently conducted a survey of UK businesses, acting as a 'mystery shopper'. When it demanded access to personal information about the shopper, more than half of the companies would not, or could not, comply.

"I am sure that apathy is caused by the fact that data protection has rarely caused a large number of businesses problems, and it is assumed that essentially the same old laws are still in place," says James Mullock, a solicitor with IT law firm Osborne Clarke OWA.

This is not the first evidence to indicate that the new data protection legislation has caught UK firms on the hop. In February this year, research by data specialist GB Information Management showed that nine out of 10 companies did not know that the Act would come into force on 1 March 2000. Yet this is an Act that will completely transform the way that personal data is stored in the future - and the way most firms operate.

"Companies still don't understand that data subjects have rights," says Neil Hare-Brown, director of security consultant QCC. "For many companies, it will cost hundreds of thousands of pounds to get this right. And some poor sucker in IT has been given the job of enforcing it."

Data day problem
The job will be particularly difficult for the 58 per cent of UK companies that use more than one database, as revealed in the GB Information Management survey. The Opus Group, for example, had to align more than 40 databases.

"Under the Act, any individual can write to a company demanding a copy of all the data held about themselves," says Tim Beadle, a marketing services specialist at Opus. "So we had to consolidate all databases into one system. Imagine having to trawl through 40 or 50 databases to find someone."

Databases aren't the only problem area. "The most onerous obligations are those relating to information which must be given to and obtained from a business' customers before their details are used, and the requirement to take steps before transferring data abroad," says Mullock.

"Both require commercial procedures to be changed. Companies really need to carry out a risk assessment so that, at the very least, they know how they are exposed," he adds.

Any 'new processing' done after 1 March is covered by the Act. That means that any post-February idea for a dotcom, any ecommerce venture undertaken by an existing company and any new ventures all have to be compliant today.

Existing processes have a little more time: until 24 October 2001 for electronic records, and until the same date in 2007 for paper records. But that still gives anyone holding data just over 12 months to rewrite their applications.

"If your organisation holds electronic data or paper records that relate to living individuals, you need to ensure that you are fully compliant with the new legislation, or risk facing heavy penalties," says Vlissidis.

Websites are particularly vulnerable to such penalties. "There are a huge number of business-to-consumer sites out there which still do not contain privacy policies and user consent tick box wording," warns Mullock. "I get the impression that many companies do not think about these issues when constructing their websites," he adds.

"Even when businesses do think about data protection, they still do not construct their sites correctly to ensure compliance with the various obligations of the Act."

Case study 1: Equinox
Action needed: Year 2000-style review of all data and procedures
Project duration: Started September 1998; completion deadline, October 2001
Cost: Undisclosed
Problems: Reliance on data from partners

"Two years ago, I would have said, 'Not more bloody regulations'," admits Equifax director of external and community affairs Barry Conroy. "But now we may be ahead of the game."

As one of the world's largest credit-checking agencies, and the largest provider of consumer information in the UK, Equifax processes 850 million records payment transactions every year. It holds data on 400 million consumers worldwide. If the Data Protection Act affects anyone, it affects this company.

It is not surprising, then, that the compliance deadline of October 2001 is being taken just as seriously as 31 December 1999.

"We are having to undertake a major review," says Conroy. "Projects like this cannot be done on an ad-hoc basis."

There is a dedicated project team, which is in regular contact with the Data Protection Commissioner's Office.

Data Protection compliance is very similar to year 2000 work, according to Conroy. Not only has he been obliged to educate his own staff about the size of the potential risk, but partners also need to understand the problem - and do something about it.

Communicating with staff is essential, because the changes are more about the way individuals use systems than how equipment functions.

"I have personally run 12 one-day workshops. The subject is dry, it's boring, it's difficult. When you read the regulations, it is like watching paint dry," admits Conroy. "But we have identified where we will have to change the way we work, such as the rights of the individual. Under the old Act, people had a right to correct the data that we held. Under the new Act, they have a right to compensation if there are errors. That focuses your mind."

Conroy can only hope that Equifax's data suppliers - almost every financial services and retail organisation in the UK - are just as focused. So far, however, he thinks their understanding of the Act is "patchy".

"In the past, it was easy to say, 'that was their data'. Now we are jointly liable for it," he says.

"Are we obtaining our data fairly? We need to do a major review of the consent clauses in the financial services industry, and make it clear to individuals what we are doing. In the past we have been profligate with our data. We have copied it, moved it. We're reviewing all of that. For example, now we have to make sure that individuals know if we export their data to the US," he adds.

"The 1998 Act covers sole traders and partnerships. If anyone is going to be caught with their trousers around their ankles, it is them." But there's no alternative to pushing data suppliers into compliance, because unless Equifax has formal guarantees of compliance, the risk of compensation claims is too great.

Contingency funds are in place for anticipated claims. Conroy declines to say exactly how much the Act has increased the company's costs, or how much has been put aside for compensation, but he is keen to play down the overall cost. "I have increased our provisions for compensation, but only by the odd few thousand pounds," he says.

Not only will Equifax gain from more efficient data storage and searching processes, but if it can guarantee compliance, it could offer credit services for ecommerce startups or internet projects launched by companies that just won't have their databases ready in time.

Case study 2: Swiss Life Insurance
Action needed: Added security
Project duration: Ongoing
Cost: Negligible additional cost
Problems: Tracking data when staff move around the company

Security was top of the agenda when Swiss Life checked out the new data protection rules. As an outpost of a Swiss company, the UK arm of the insurance giant has been used to working in an environment with strict data protection legislation for many years, and had no need to rewrite its databases or upgrade its software.

But the company did want to review all its data security procedures in the UK to ensure it was complying with the Act's demand for stronger measures.

"Our corporate headquarters has put in place a company-wide security policy that follows BS7799," says security co-ordinator Danny Hulligan. "So by adopting those corporate security requirements, we can conform to the terms of the Data Protection Act. But security policies are living policies. We constantly have to make sure we conform with the group policy."

"Security requirements are underestimated. We don't employ a specific individual for data protection," adds Hulligan. "That's partly because the responsibility devolves outwards. I'm still responsible overall for data protection, but now it involves 50 people across the company who have to know how this works in practice."

Prior to the Act, anyone could access data unless they were blocked from seeing it. Now, no one has access to data unless they are explicitly given permission to see it. "If we have a clerk who joins a team, then 12 months later they may make a sideways transfer," Hulligan says. "We have to make sure that clerk only has access to the data he or she is working with."

Neil Hare-Brown, a director of security consultant QCC, which has been working with Swiss Life to ensure the company conforms to the terms of the Act, believes the focus of security has to change.

"In a company such as Swiss Life, the personal information that has been provided has to be secured internally as well, even if they are paper-based records," he says. "So someone working in human resources should not have access to personal data for clients. This has come as a shock to many companies that have only worried about perimeter security until now." The new regulations mean that Swiss Life - or any other company - cannot afford to have even one 'off day'.

"We have to be aware that one of the powers of the Data Protection Commissioner is that she can turn up on your doorstep at any time," says Hare-Brown. "She doesn't even have to make an appointment."

Case study 3: Opus Group
Action needed: Full software rewrite
Project duration: Six months, ending May 2000
Cost: £100,000
Problems: Data was stored on disparate databases and its use had not been authorised by the individuals concerned

Getting to grips with the new data protection legislation has been no easy task for marketing specialist the Opus Group. It had more than 40 databases and a million records to trawl through, and needed to tighten up its access controls.

The project, which will cost about £100,000 over the year, mushroomed until it changed every database and procedure in the company. "We have had to completely rewrite our databases to comply with the Data Protection Act," admits Tim Beadle, the firm's director.

Beadle calculates that even companies not as dependent on data as Opus should be allowing for an incremental cost of up to £1 per record per year for holding customer data.

"The time needed to develop the structure and business logic was about three months. Given that we normally charge our developers out at £800 per day and this was 'lost' time, the cost to us was £48,000. On top of that, we have spent about £10,000 on security and a further £5000 on internal education and procedures," he says.

The biggest implication of the Act for Opus were the rules applying to unauthorised data, since much of the company's data had not been gathered with the subject's explicit approval.

"Under the old Act, contacts at business addresses were not covered and all our databases were of that type," says Beadle. "So we had to add permissions fields to send people direct mail, call them or email them."

A large number of records contained business-to-business contacts who had never been asked whether they granted permission to provide their names; for example, salespeople had provided the name of their managing director. This means that a flag has to be added to the record in the database, and a letter written to everyone in this position.

Opus Group relies on the leeway provided by the Act to keep the data; destroying all these records would have a "disproportionate effect" on its ability to do business.

Having realigned its databases, Opus also needed to review who had access to the records. "Because we're an agency, we have lots of people pottering around all over the network and the databases," says Beadle. "We have had to put in highly granular security to permit people to see only what they need to see. We have also restricted access to the network in the first place by installing SecurID from RSA Security."

This has created its own problems; for example, individuals who ask to be deleted from the database could accidentally be added again by staff who no longer have the right to see that a record once existed but has been deleted. To avoid this, the database sends a letter to people who have asked to be removed to request they be moved to a 'suppression file'. Without their approval, Opus can't even keep a record that states the individual does not want to be on a database.

"The Act has made customer relationship management (CRM)-style databases mandatory for business-to-business firms, because they all have sales or marketing databases of customers," says Beadle.

Opus Group has been retained as a data protection consultant by several clients, but CRM director Adrian Moss has seen little awareness of the scale of the task ahead. "I ask companies to tell me how many databases they have before I start the audit," he says. "I used to bet them £10 they would get it wrong. I've increased the bet to £100 as I have no fear of losing."