Listen to this article


For businesses, data protection and privacy laws are something of a moving target, especially where they operate across borders.

This, in turn, brings challenges for compliance and for IT departments. Add in technical changes – such as a greater reliance on data gathered via social media – and more use of consumer and personal devices in the workplace, and creating an effective data protection policy looks far from straightforward.

“Any approach based on specific solutions for specific laws will never work: an organisation will just spend its time chasing its tail,” says Clive Longbottom, of Quocirca, an industry analyst. “The only way to deal with it is to create an environment where the data carries their security around with them.”

Countries as far apart as Brazil and Singapore – which released a draft of its new data protection act in March – are tightening up their rules.

Over the next two years, governments in the European Union are set to introduce tougher data protection laws. The European Commission’s Data Protection Regulation, announced in January, proposes legislation to increase consumers’ control over their data and create a more consistent framework for laws across the EU. It will replace the less stringent and somewhat outdated data protection directive of 1995.

The situation for companies is complicated by the differing standards of data protection countries have adopted, even within trading blocks such as the EU. There, German and Danish laws are considered to be the tightest, restricting for example a company’s ability to monitor staff email. UK and Irish laws are less strict.

Then there are laws that prevent companies from moving data offshore, or restrict such movements to countries that have a “safe harbour” framework for protecting data. Even diligent companies can fall foul of these rules, especially if they outsource IT functions, business processes, or buy in services in areas such as sales or marketing.

Neil Cattermull, a director at Canary Wharf Consultancy, a financial services specialist, cautions that organisations can be “non-compliant” even when they think they are obeying all the rules. In complex IT outsourcing arrangements, suppliers may buy services from other companies, and these second, third or fourth-tier vendors may not comply with local data protection legislation.

“There is a lot of cheap storage [arriving on] the market and it is cheap for a reason,” says Mr Cattermull. “But people are becoming more stringent on contracts, and are looking deeper. In the small print, suppliers may not mention where the data are hosted.”

This is echoed by John Skipper, a data protection expert at PA Consulting. “Unless it’s set out that a provider complies with EU rules, it probably doesn’t,” he says. It is up to companies, and especially their IT and legal teams, to make those checks.

Although laws such as those proposed by the EU will help with cross-border consistency, international companies will still need to keep abreast of a wide range of complex and evolving rules and regulations.

“The IT challenge is that people are travelling about. They want to have access to information and are trying to co-operate with colleagues in different offices,” says Håkan Carlbom, chief information officer of Stockholm-based EQT, a private equity firm. And, in addition to complying with local laws, there are “commercial reasons not to be sloppy with our data”, he says.

For enterprises, though, complying with data security and privacy rules is just one part of compliance and data management. Carsten Casper of Gartner, an IT research company, suggests some countries – the US, for example – rely more on industry-specific regulation in areas such as health and financial services.

In the UK, the Financial Services Authority has a record of handing out heavier fines for breaching data privacy than the Information Commissioner’s Office.

“It is a question of having a good privacy management programme and paying attention to people, processes and products,” he says. Companies should ensure their staff understand data privacy rules and that there is an incident response procedure for data theft or privacy breaches.

But there are also business advantages to keeping up with if not one step ahead of privacy legislation. Practitioners in the field advise that companies should keep rules for internal and customer data under constant review.

It may be more efficient, safer, and cost-effective to set a higher standard of protection across the board than to attempt to follow the minimum rules in each country or territory. And consumers will be reassured if a company does more than the minimum.

“Legislation is getting tougher, and consumers and citizens are taking it more seriously,” says Stephen Bonner, a partner in the IT practice at KPMG, a professional services firm. Some legislation can be onerous, but it provides a level of comfort [to customers] that you are operating safely.”

Copyright The Financial Times Limited 2017. All rights reserved.

Follow the topics mentioned in this article