I said in a recent blog I had added two new pages to my website and put a copy of the one on Risk Management on the blog.  Well here is the second one, on Data Protection.

As before, if you have another question please let me know either as a comment on the blog or by e-mail to john@jhmriskmanagementservices.co.uk


  1. Who is Responsible for Data Protection AND can you transfer this responsibility?
  • A lot of people still seem to think that Data Protection is a matter for their IT manager. In fact the buck really does stop with the man, or woman, at the top.  There may be disciplinary repercussions for the IT manager or whoever else caused the breach, but the primary responsibility lies with the business owner.
  • Similarly, a lot of people think that if they outsource IT services or even payroll, accountancy, or other services, the responsibility for the data involved will transfer to the business providing the service.
  • This is all untrue. The Act places all the responsibility on the business whose data it was in the first place, defined as the “Data Controller”.  The other business is defined as the “Data Processor”.  Changes are being introduced currently which will allow the authorities to fine the Data Processor as well, but they will not remove the burden from the Data Controller.
  • If you have written your contracts carefully enough, you may be able to obtain some compensation from the business actually responsible for the data breach, but that will probably be after you have been prosecuted and fined.
  1. Do I Offer IT Solutions When I Offer Data Protection Services?

I do not.  I would like you to think about the following points.

  • In a recent survey IBM found that 40% of data breaches were caused by human error and that another 35% were caused maliciously, leaving IT issues a poor third.
  • Having great IT security does not stop people leaving laptops on trains or printouts on photocopiers, just as great physical security is ineffective if staff forget to lock doors.
  • It is too easy to find that you cannot see wood for trees if you get too involved in the details of IT systems without stepping back and looking at the big picture.
  • Once an issue has been identified it is often possible for the client’s existing IT provider, internal or external, to resolve it.
  • Where the client agrees that an IT solution is required, I have several highly competent IT experts whom I can call upon for advice or support.
  • It is very easy to spend a lot of money on improving your IT when all you really need is to use your existing hardware and software properly and to establish realistic but secure procedures for everyone in the business to follow online and offline.