Today we have a guest editorial from Phil Factor as Steve is out of the office.

It really is about time that all of us who are working on data tightened up on security. Since I started working in IT, standards of protection of data have fallen significantly. Because we as an industry haven’t cared enough, there has been growing international pressure on creating legislation to compel us to take security seriously. In a years’ time, companies operating in Europe, wherever they are based, will face huge fines for offenses against basic human rights for privacy that are poorly understood by many.

I apologise for talking about European Legislation for a moment, but there is a reason. The European Convention on Human Rights (ECHR) speaks of a right to respect for one's "private and family life, home and correspondence". The General Data Protection Regulation (GDPR) is soon, in a year’s time, to become law in all EU countries, including the UK. The regulation also applies immediately to organisations based outside the European Union if they collect or process personal data of EU residents. We’re not just talking about potentially embarrassing medical records here. No, personal data includes anything like a name, a home address, purchasing habits, a photo, an email address, bank details, posts on social networking websites, or a computer’s IP address. To use this personal information will require explicit consent, which can be subsequently withdrawn. It can only be retained for a period of time.

Organisations can’t shrug and say that they delegate the processing of personal information to a third-party. If they use and benefit from the data, they are responsible. They have to show that access to such data is prevented by design. We have to prepare now before it becomes enforceable in May next year. Many existing IT systems will have to be re-engineered before next year.

Organisations over a certain size whose main activities involve processing operations, and that are operating in Europe will have to appoint Data Protection Officers to ensure that the organisation complies with the legislation. These people will need to be data experts with experience in security and a lot of knowledge about the protection of data, able to sure that IT systems protect data ‘by design and by default’.

The mood in the USA towards personal privacy is rather different, favouring as it does the rights of the state, as defined in the Patriot Act. However, because of the long-standing international agreements of Safe Harbour and more recently Privacy Shield, the GDPR affects all businesses processing personal data who trade with Europe. The EU has the most progressive laws on data protection, and will determine the data standards of a globalised market, so it looks inevitable that the international standards for handling personal data will derive from the GDPR. Yes, the ramifications of GDPR could easily affect your work.