Global and Vulnerable:
A global double-whammy

More companies are using global data processing resources, but are they sure they’re preserving the confidentiality of the data they hold? GAVIN JONES urges extra vigilance.

The willingness of the Information Commissioner to use fines to enforce data protection issues is an important development, especially in the financial services industry. The fines themselves are not likely to damage an organisation seriously, but the unwelcome attention they will attract and the subsequent impact on corporate reputation is significant.

The customers of those providing retail financial services want to feel that their personal and financial data is held securely. The issue of data protection is now more visible than ever before and compliance will have to stay one step ahead of public concerns.

Improvements can be made quickly by driving a process of continual audits of data collection, data retention and data interfaces, and by looking closely at anywhere data may be inadvertently disclosed.

This must be coupled with more rigorous pre-employment screening in data sensitive areas. And, of course, it’s also essential to improve transparency and openness between an organisation and its customer base about why and what personal data is being collected and how it will be secured.

As we move to a global model of data processing, though, many companies are unwittingly in potential breach of legislation by failing to inform the Information Commissioner’s Office that they are engaged in worldwide processing of data.

This is a double whammy for businesses: they must not only ensure that any overseas processing is taking place under the appropriate EU guidelines, but also that they are communicating back about the level of compliance.

The use of global resources creates two distinctive areas for greater organisational awareness. The first concerns the transfer of infrastructure outside of the EU. This is often done for economic reasons to consolidate infrastructure and to take advantage of global resources.

However, it is critical that any destination geography is operating under the same standards as the EU, especially in regard to concerns about storage and manipulation of the data. Critically, the Commission must be kept informed of that compliance.

The second area of concern applies to the transfer of data to a third party, whether offshore or not. It always remains the responsibility of the original company to ensure that everyone within the ‘data eco-system’ is adhering to the standards, as it will be the original company and not the third party which will be held in breach.

The lesson for the industry is clear. If we want to continue to reap the benefits of globalisation while maintaining the confidence of our customers, we have not only to be doing the right things, but make sure that we are seen to be doing the right things. It won’t take many fines for overseas data breaches until we have a full-blown industry-wide issue on our hands.

So remember, continually audit, focus on pre-screening and always pay attention to the eco-system supporting your data. Compliance breaches can happen anywhere in your network but ignorance has never been, nor will it ever be, a defence.

GAVIN JONES is Client Delivery Director, Financial Services, Logica

Back to Special Report contents page
Back to Magazine contents page