Wednesday, 14 May 2014

ICO report on protecting personal data in online services

Increasingly, DPOs need to collaborate with others to implement appropriate privacy controls. So, I’m impressed with the ICO’s latest attempt to explain to data protection professionals (and other compliance officers) what it is that information security geeks need to do to ensure that the most common security vulnerabilities are being addressed.  It’s a really welcome attempt to use less technical jargon to highlight issues that are capable of causing substantial embarrassment and harm to individuals, should the controls fail and data breaches subsequently occur.

The language that is often used by data protection and information security professionals can be impenetrable to most mortals. So three cheers to the ICO for translating some of the technical terms into plain English. If a data protection or compliance officer ever wanted a conversation opener with their security team, this report contains a list of some 39 questions that could easily be asked by ICO auditors in the event they decide to carry out a formal information security audit on the organisation. 

The report helps the less technically gifted professionals appreciate what sorts of questions they need to ask of their security teams, even if they won’t necessarily understand the answers. The key issue is that the officer can (hopefully) rest assured that someone within the organisation understands this stuff, and that they are dealing with it. Which is a lot better than realising that no-one is dealing with it.