Blog article
See all stories »

Working with your CIO to negotiate GRC - Part One

The increase in corporate mobile device use, fuelled by better technology and trends like Bring Your Own Device (BYOD) and enterprise focussed apps, means there are many more ways in which a business can lose data; whether through employee mistakes, malicious theft or the sale of confidential information. 

Under the Data Protection Act 1998, when a business loses personal data, the Information Commissioner’s Office (ICO) has the power to fine it up to £500,000. Breach of the act can also constitute a criminal offence, meaning in extreme cases individuals can be sent to prison. Over 650 prosecutions have been commenced in the last six years by the Crown Prosecution Service.

What makes this an even bigger issue is that personal data has such a wide definition: any information that can be used to identify an individual. As a result, GRC (Governance, Risk Management and Compliance) is currently one of the biggest issues facing companies of all sizes. Unfortunately, it has yet to find appropriate billing on agendas in boardrooms across the country, meaning remaining on the right side of the law may increasingly become a real problem.

With such dramatic consequences, CIOs may question whether mobile working policies such as BYOD are worth the hassle. But the prospect of the clear efficiency benefits of mobile working and the increased demand from employees to use devices of their choice means that every CIO will have to face this issue. The threat is further heightened by the fact that there is now a prolific amount of data consumption in the workplace. To some, the obvious and logical solution would be to implement preventative measures to ensure compliance from employees. But this just isn’t happening.

Recently an Aberdeen Council employee was reported to have taken home some work to finish off on a personal computer. Microsoft Word auto backed-up the documents and published them online for three whole months, unbeknown to the council or employee. As a result, the council was penalised and fined £100,000 for not putting in place a regulation compliant BYOD policy.

In the Aberdeen case, the organisation was left fully accountable by the ICO despite it being the accidental wrongdoing of the employee. In a contrasting example, a manager from Enterprise Rent-A-Car was found to have breached compliant security processes in place, by stealing and selling over 2,000 customers’ details to a claims management company. Following suspicions, Rent-A-Car alerted the ICO, which raided the third party company and found the correlating data. The result: the manager was successfully prosecuted and fined £500; ordered to pay a £50 victim surcharge and had to fork over £264.08 in prosecution costs.

In situations like the Enterprise Rent-A-Car case, where the employee is clearly at fault and is fully aware they’ve maliciously breached policies, a company can successfully hold them to account and even look at criminal and civil proceedings. In circumstances like Aberdeen Council, the organisation is made accountable for not having a policy for the employee to fall in line with.

Either way, it’s clear that avoiding crippling financial fines requires detailed evidence of compliance best practice. 

To comply with data protection regulation and mitigate against fines, firms need to take a holistic three stage approach to ensure that data is kept secure. This consists of education, policy and technology. But what do each of these steps entail and how can businesses implement them without impacting their mobile device use?

In Part Two I'll explain these steps in more detail...

3378

Comments: (0)