AdSlot 1 (Leaderboard)

An alliance for compliance

If you visit the government’s website for information on data protection (, its section on ‘guidance and other publications’ is divided into 15 subdivisions and comprises more than 100 documents, ranging from advice on how to comply, the act itself and even such gems as International Transfers Summary: 8th Principle. Is it any wonder UK businesses are less than enthralled by data protection legislation?

That’s why Richard Thomas, the new Information Commissioner responsible for compliance, has made it his mission to shake up data protection. He is calling on UK businesses to get involved in making data protection – the legislation that governs the way businesses handle information about staff and customers, including personnel records, direct marketing activities and monitoring of employee emails and web usage – a key boardroom focus. Excited? I knew you would be.

In an interview with Financial Director, Thomas says that senior directors – especially FDs – should be taking notice of data protection. And compliance may even give businesses competitive edge. “I can stand up in front of senior executives and say with a straight face that data protection is good for you. Some people think data protection regulation is unacceptable, but we can persuade them they need to comply because of the risks posed to their organisation and the inefficiencies of getting information wrong or dealing with it insecurely,” he says.

“Most companies work in a competitive environment – competing for customers and staff,” he says. “If companies have lousy personal details about customers, suppliers or staff, they will suffer in the market.”

But overcomplication of the act and guidance for business has meant that many businesses haven’t paid enough attention to data protection.

“Quite a lot of people in the last six months have told me that data protection is too complicated,” says Thomas. “And while most people think the principles behind data protection are first-rate, they get confused by the burden of rules and regulations.”

Thomas, who is also the author of Plain English for Lawyers, says the first of his ‘quick wins’ is to simplify the language of data protection.

“We have too much jargon. I avoid using words like ‘data’. I think ‘personal information’ is more meaningful. I also hate the phrase ‘data subject’ – that means ‘people’, by the way.”

While Thomas can’t change EU directives or acts of parliament, what he can do is change the Information Commission’s internal policies, procedures and guidance notes. He can also get UK businesses more directly involved in shaping legislation and guidance – helping companies get it right without resorting to heavy-handed enforcement – and that needs input from the FD. “There are risks involved if you get data protection wrong,” Thomas says. “An FD has to make sure the function is being led properly within the organisation, whether it is made the responsibility of the IT department, the company secretary, the legal department or the FD.”

One example of where Thomas wants to see FDs becoming more proactive is where the implementation of compliant systems can prevent security breaches and loss of personal information to data thieves.

“It is illegal to sell or buy personal information without the permission of the company that holds it. But there is quite a murky, unpleasant trade in personal information called ‘blagging’,” Thomas says. “Tracing agents, for example, will bribe or impersonate staff to get personal information out of your system. If you are a bank, they might be looking for people’s financial details. If you are an insurance company, they may be looking for claim information. If you are a public body, they could be looking for tax or driving licence details.”

Thomas’ advice is to factor in data protection from the outset when designing or upgrading IT systems. “If you bolt data protection on later it is more difficult,” he says. “Under current requirements, staff have a right to see the information a company holds on them. If your IT systems don’t have the functionality built in to deal with these requests, you are going to be in trouble.”

Thomas also wants FDs to be proactive in shaping future regulation.

“I want FDs to know I am in the business of simplification and making data protecting more effective. I would like to invite FDs to email their suggestions to me (at We will put out a more structured consultation paper later in the year.”

Related reading