After attending a Microsoft event in the UK I have a better idea about data protection and compliance. It appears that there are four main sources of data protection and compliance regulations:-
1. The UK's Data Protection Act. This says what you can and can't reasonably do with data about people and the act is policed by the UK Information Commissioner's Office. Every business holding electronic records about people needs to be aware of this act and its provisions and have an understanding of how it is meeting or not meeting those provisions.
Compliance is relatively simple in that it is a UK act with IUK jurisdiction and a UK regulator.
2. The EC and various directives relating to telephony and telecommunications including computer networking. There are three directives and these are applied and enforced by the member states. The latest 2006 directive is not yet enforced by the UK. Enforcement could mean that the UK makes its own law to follow the EC law or it means that the UK lets the directive become EC law covering the UK.
If your business operates in several EC member states then it could well face different compliance rules and enforcement processes in the different states. Great!
It means that you need to refer to lawyers familiar with the directive and its enforcement in each member state you do business in.
3. Vertical market regulations such Basel II for banking and HPPA for health in the USA. If your business comes under the jurisdiction of such acts through being in a subject business area and territory then you have to be aware of the regulations and ensure that your business complies with them. Many financial businesses in the UK will already have a compliance officer or office to ensure they are compliant.
4. US or other non-EU state regulations or law such as Sarbanes-Oxley. If your business operates in territories subject to such laws then. again, you need to understand their provisions, monitor your own business' compliance and produce necessary reports.
Once again this means having access to lawyers who understand the regulations, how and where they apply, and how they are enforced.
Complications come in where one set of compliance or data protection rules contradict another. They also come in where different parts of your organisation are subject to different compliance regimes, meaning you cannot implement a one-size-fits-all compliance system.
Who should be responsible for compliance with the various laws and regulations you are subject to in your organisation?
If you don't have an existing compliance officer or office then an attractive default person is going to be the IT director/manager. This is sensible in that it is computer-based processes and communications that have to be aware of and respond to compliance needs. But many IT departments won't own the data that is stored in their electronic silos and passes through their electronic pipes. That data is owned by lines of business.
Just as a plumber is responsible for pipes and taps but not for the quantity and quality of the water coming into them from outside we may well ask if an IT executive is logically the right person to be responsible for how a business' stored and communicated data content is processed in compliant ways.
The consistent element is that lawyers are needed. It seems to me that small businesses will, through necessity, dump the compliance responsibility on the IT manager. That person or a delegated staff member will have to have access to knowledgeable legal advice and also access to content producers and owners.
Larger businesses will, inevitably in my view, have to appoint a compliance officer, much as many financial institutions already have. This person will need CEO-level support, access to knowledgeable legal facilities, access to and co-operation from the IT director or CIO, plus access to and co-operation from the content owners in lines of business.
It is a large additional cost, the provision of which is not assuaged by thoughts of how much money you are saving through not having to pay non-compliance fines. Once again regulators and politicians are playing around with corporate responsibilities with absolutely no idea of the costs of their, in some cases knee jerk, reactions to events such as the Enron fraud.