Lee & White

Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

So what is the current horror report on personal data floating around?

"Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.

Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

We manage IT projects on a daily basis, and in every project there is the returning constant of processing personal data.

I must say that most clients we have worked with show the goodwill to properly handle personal data, but sometimes other priorities, like financial limitations or time constraints, make it such that proper processing is seen to be a lower, if not the lowest priority.

Sometimes we get called in to audit a company to check existing processes and applications for compliance to data processing laws. We then need to inventorise what kind of data is kept and where, how it is handled, and what the procedures and communications are. Basically, a thorough in-depth audit that involves and affects all levels of the business.

When we are involved from the very start, we can, even already on a requirements or functional level, pinpoint where issues would arise, and through small changes in the design and implementation process, ensure that applicable laws and good practices are met.

It is the same for all problems; if you can catch and fix it at an early stage, the cost is a factor lower than if you have to fix it at a later stage. If, of course, even at that stage you do not fix it, then the cost of being caught after go-live is enormous. This can not only have financial implications, but also cause damage to reputation and brand, as well as have criminal consequences.

A data protection officer should be involved at every stage of a new project. He should validate business requirements, check functional analyses, approve technical designs and audit proper handling after go-live. If properly executed, the amount of time (and budget) spent on this role would be minimal, and as such only big corporations need a full FTEto perform this role. Most companies can hire external consultants to do this on a part time or time and material basis.

Some companies make the mistake of asking their in-house legal department or company lawyer to advise on data protection issues. Unfortunately, these individuals are not specialized to give this kind of advice and are usually fully booked to solve other company related legal issues. Also, they might be too deeply involved in the business to give impartial advice.

Specialized legal consultants have the experience and know-how through different projects to handle these kind of problems on a daily basis. They can also deliver impartial advice without risk of conflict of interest.

So, in conclusion