Almost half of senior IT decision makers admitting to being only vaguely familiar with the Data Protection Act, and 44 per cent of IT departments use live data to test systems, says a new survey by Compuware.
The Data Protection Act forbids the use of customer data for any purpose other than the one for which it was collected, yet 48 per cent of senior IT managers questioned have only a vague idea of how it applies.
“Companies have had plenty of time to understand and implement robust data privacy measures since the Act was introduced eight years ago,” said Ian Clarke, Compuware’s world wide enterprise solutions director.
“Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line.”
There are logical solutions to the problem – the first is to provide training. But the Data Protection Act is complicated and, at times, ambiguous.
In addition, many companies outsource their requirements, with 83% simply using non-disclosure agreements (NDAs) to control and secure data usage by external parties.
Although these are legally-binding documents that form part of the contract, many organisations admit they are so complex they have difficulty communicating them to their employees. Also, there have been cases where workers have been offered bribes to hand over data.
Mr Clarke explained: “Many businesses are still confused by the ambiguity of a clause within the act relating to taking appropriate action to protect customer data. It is therefore not a complete surprise that so many organisations have taken what they think is the simplest way to comply with the act and put in place NDAs.
“The truth is that most customers would not consider this adequate protection. Therefore companies must reconsider the actions they are taking to protect customer data from being leaked in the application testing environment.
“Testing environments are inherently insecure places in which to process live customer data, with printouts and test sheets being left next to PCs during trials. Although businesses can afford to pay the fines placed on them if customer data is leaked, the cost to company reputation is not as easily recovered.”
He added: “Legislation already exists in the US that forces organisations to make public disclosures when customer data has been leaked, and I wouldn’t be surprised to see something similar come into force in the UK in the future. This will make it even more important for organisations to cover off all possible angles of attack before the company is put at risk.”
Although using non-live data will not infringe the act, it won’t necessarily provide the necessary functionality tests for systems.
Compuware suggests disguising data by exchanging known values, such as addresses, so customer data is transformed and unrecognisable from the original. Important values, such as postcodes, can be left in place and the whole process can be done automatically, thereby removing the human risk element.