One In Five Businesses Break The Data Protection Act

Almost one in five businesses has breached the Data Protection Act (DPA) at least once, and nearly two-thirds do not train their staff on the issue, according to a survey by BSI.

Nearly a fifth of businesses have breached the Data Protection Act, according to a survey of 500 small and medium sized businesses, carried out by BSI – the British Standards Institution – which is today publishing a data protection Standard, for the treatment of the personal information which businesses hold about staff and customers.

Some of these breaches involved leaking personal information to third parties, while others involved holding personal information improperly or without the owner’s consent. The survey does not specify how many of the breaches involved data leaks, but half the companies that admitted to a breach said they had probably breached it many times, and another 18 percent of the sample admitted they did not know whether they had breached the Act or not.

Despite this situation, 65 percent of businesses provide no data protection training at all for their staff, according to the survey, and in half of them there was no-one with responsibility for data protection. The report turned up other worrying facts, with 18 percent of businesses saying that “data protection is less of a priority in the current economic climate”.

The new British Standard for the management of personal information, BS 10012, is intended to provide a framework for companies complying with the Act. The Standard, “Data protection – Specification for a personal information management system” is being launched at today’s Data Protection Forum meeting in London.

Five million small and medium sized businesses in the UK handle vast amounts of personal data and the survey showed they need to get their act together, and the problem may be dealing with the complexity of the regulations, said Mike Low, Director of standards at BSI: “A third of businesses stated that the complexity of the legislation restricts their compliance with the DPA. The new standard addresses this and many other issues, providing organisations with a framework for maintaining and improving compliance and demonstrating that they are handling personal information responsibly.”

Originally formed as the British Standards Institution, to ratify national standards in all areas, BSI has been making a name for itself in business management standards, which are often accepted as international ISO standards which BSI markets worldwide under the name BSI Group. These standards include areas like quality (ISO 9001, developed from BS 5750) and security management, (ISO 27001, developed from BS 7799).

Like these estalbished standard, BS 10012 does not prescribe exact methods, but explains best practice and sets a framework. Any kind of organisation can use it to create their own tailored management system, said Low. Experts from industry, government, academia and consumer groups contributed to the standard, and comments from the public were gathered during a three month public comment period before the final version was published today.

The research on data breaches was conducted on its behalf by Opinion Matters.