Are you on top of data protection?

Data protection breach makes headlines

The recent leaking of data from a law firm has highlighted again the importance of having measures in place to ensure data protection compliance. The personal details of thousands of broadband customers have been leaked on the internet, alongside a list of adult movies they are alleged to have shared online. The documents appeared online after an attack on the law firm’s website by piracy activists. The leak is being investigated by regulators, as well as generating significant adverse publicity.

Information plays an increasingly vital role in both the private and public sectors: the need to protect this information should be paramount on any organisation’s agenda. Data protection is particularly important where a client holds substantial amounts of personal data relating to individuals; e.g. consumer businesses, or those with a substantial number of staff.

So why should you be concerned?

Firstly, there is the issue of costs: fines from the relevant regulators can be very large indeed (up to £500k from the UK Information Commissioner's Office with Financial Services Authority (FSA) fines having exceeded £2m).  Significant time and expense can also be incurred in managing customers, regulators and the media and taking corrective action following a breach, as well as a possible reduction in share value and customer and employee confidence from resulting adverse publicity.  Additionally, some breaches can result in criminal convictions for companies and directors. 

Why now?

The UK Information Commissioner’s Office has recently been given new enforcement powers, including increased penalties and regulatory audits. Further, with data protection at the forefront of government and media attention, individuals have much higher expectations of compliance and the issue should be given management board attention. Public sector bodies are obliged to carry out privacy impact assessments on the data they hold. As recent new stories have amply demonstrated, there is a growing number of high profile and costly data protection breaches, all of which serve to damage the reputation and the profits of the affected organisations.

What challenges will you face?

Getting started can be time-consuming and problematic. There are number of issues which may be faced when focusing on the data held and used by the organisation. These can include the following:

• Identifying what data is being held and how it is being used.
• Practical implementation and enforcement of policies and ensuring appropriate governance.
• Control of third party service providers.
• Reconciling legal, IT and organisational requirements.
• Resource constraints and lack of technical expertise.
• Reconciling different regulatory regimes in different countries for global organisations and cross-border transactions.

These issues bring with them a number of worries, including the possible reputational damage following a breach, the increased costs of implementing appropriate policies and controls, not to mention the increased compliance burden for your legal department and the additional work for your IT and systems teams.

What can we do to help?

PwC Legal, with our wide experience of data protection, can help you get to grips with these issues and provide the necessary resources to deal with the implementation of improved compliance and management of personal data. Broadly, working with PwC Risk Assurance Services (RAS), we can help you in the following ways:

• Help you understand the data environment: identify and classify data, map data processes.
• Advise on legal requirements and good practice.
• Advise on data protection governance and strategy.
• Draft or review policies, procedures and controls matrices.
• Assist with audit processes and systems to assess compliance.
• Provide training: design and present privacy training and awareness programmes.
• Give cross-border advice using PwC’s international legal network.

Our combined PwC Legal and PwC RAS team has proved to be a winning combination for our clients across a wide range of industries.  Examples of our recent work include the following:

• Following a review of key data protection policies and procedures, we assisted a pensions advisory business to demonstrate the validity of its business model to the market.
• We helped a leading retailer to identify and address gaps in its data protection governance and compliance model to avoid the risk of regulatory action.
• We assisted an educational service provider to demonstrate to schools that data would be processed appropriately on its tool for managing the staff recruitment process.

Contact us:

Data protection is not an issue which can be ignored in the current climate. If you would like to speak to us to find out more about how we could assist you in complying with the requirements, then please contact Olivia Patterson