Data protection laws too lax, Sophos survey reveals

July 19, 2010 Sophos Press Release

A new survey of almost 1200 organisations has revealed deep concern about the robustness of the UK's current data protection legislation. The survey, conducted by IT security and data protection firm Sophos, discovered that nearly 50% of respondents feel that the laws are too relaxed and require revision, while a staggering 87% feel that organisations should be forced to disclose when sensitive data about the public is exposed.

The survey, which was designed to gauge respondents' views on current legislation, showed that 36% were concerned about the additional complexity and 16% were concerned about the associated costs of complying with the legislation.

Data protection survey

In April this year, the ICO was empowered to impose fines of up to £500,000 on companies found to have breached the data protection principles, while the Ministry of Justice (MoJ) earlier this month issued a Call for Evidence to learn whether the European Data Protection Directive 95/46/EC and the Data Protection Act 1998 is working and how it is impacting on individuals and organisations.

"Data protection legislation is obviously big news in the UK right now, and we were interested in capturing the general feeling of businesses," said Ciaran Rafferty, VP of Sophos UK and Ireland. "The survey's findings revealed that while almost 40% of businesses were confident they complied with the legislation, more than half were unsure or concerned about whether they were compliant. Sophos would urge all businesses with concerns about the current UK legislation to offer their views to the MoJ. Only with feedback from UK businesses can the MoJ properly assess whether the legislation needs further amendments."

Earlier this year, Sophos teamed up with law firm Field Fisher Waterhouse (FFW) to help organisations avoid the serious consequences linked to security breaches and data loss. This partnership was set up both to educate companies on the current legislation and provide them with advice on the most efficient and effective way to comply with its requirements. In the event of a breach, this partnership aims to direct organisations through the incident response process in order to improve their position amongst regulators as well as avoid brand damage.

"It is no surprise that data breaches and data security are of increasing concern for both public and private sector organisations," said Stewart Room, data security lawyer and partner in the Privacy and Information Group at Field Fisher Waterhouse. "Working with IT security experts at Sophos, we are advising companies on how to avoid data breach incidents, as well as help them deal with the aftermath and potential consequences."

Sophos and Field Fisher Waterhouse aim to educate organisations by holding bi-monthly data protection breakfast briefings, security forums and publishing a selection of whitepapers.

"Organisations today need trusted experts to help avoid the risks," explained Ciaran Rafferty. "This survey underlines the need to educate, advise and then provide practical security solutions. Together, Sophos and FFW are helping organisations avoid regulatory investigations, loss of clients and reputational damage."

Another question asked if data protection legislation was preventing companies from running their organisation effectively to which 41% responded that cost and or complexity were issues.

Sophos has published ten top tips for protecting sensitive data in organisations from theft or loss.