Data protection has long been an important issue for corporate IT and legal teams, but it has become an increasingly high-profile concern following HM Revenue & Customs’ loss of 25 million child benefit records last year, and other similar private sector revelations. Companies are realising that they are being exposed to higher levels of regulatory, legal and market risks from data being spread across the organisation.

With the increase in these incidents it is vital that data is not seen purely as another facet of IT, but as a key asset which needs to be secured and audited at all times.

Organisations must take proactive measures to ensure they know exactly where their important information resides. Legal and IT professionals need to be sure that sensitive information is secured, and is managed and used appropriately in line with internal and external compliance requirements.

Computing recently jointly hosted a web seminar with sister paper Legal Week, which discussed how legal and IT teams should work together to meet the demands of data protection, audit, and policy enforcement.

Our panel of experts answered viewer questions, and here we present their answers. Our experts were:

What methods exist to audit and search for relevant data effectively without affecting business operations or incurring large IT service costs?

LP: It is important to look at the collaboration between IT and legal teams to understand where to focus your capabilities and to understand what information is critical.

Potentially you are working with hundreds of thousands of systems where data can be stored, and it’s becoming a challenge for organisations to understand where to look for that data and how to audit that information effectively and collect data that is relevant.

There are techniques that allow a much more surgical approach to the identification and, if required, collection of data.

This could involve key word analysis; filtering and reduction of data by file types; and exclusion of file information. This would allow you to put in place a platform that IT can use to rapidly decrease the time it takes to identify any relevant data, and to collect that in a process that will be defensible and can be audited.

You need an approach that shows the effectiveness and the completeness of the process of collecting data.

Do you have any tips for how to change the data protection culture in an organisation, in a way that’s more effective than simply bringing in new policies?

AM: I have addressed this by bringing it home in a way people can relate to.

One of the examples I use is identity theft, and I’ll talk to people about potential solutions, and what they can do at home to prevent identify theft, such as shredding bills.

Then you can say: “We’ve talked about what you do at home to protect your identity and your personal data, how do you operate in your business?”

That is the way to start changing the culture. It is a combination of making people aware of their personal environment as well as what that means for the corporate environment. After one training session I’m sure half my class went out and bought shredders.

How do I go about driving change in my organisation when resource limitations are a significant factor?

PG: Proactively driving change is a lovely phrase, but it’s difficult to do. A company that believes that training alone will sort out their issue is misleading itself.

It’s one thing to put a tick in the box so that your internal auditors or external regulators can say yes, they do training, but it’s another to make that work in the context of your people.

That isn’t IT’s problem and it’s not legal’s problem – ­ it’s the company’s problem. Cultural change happens when the board, the chief executive, the management and the staff buy into the need to do something.

But you cannot simply say: “From here on, we will do it this way”. You have to make it relevant for people.

Training is a good way of doing it, but it’s not the only way. There needs to be meaningful consequences for success and for failure.

You have to understand that being proactive is not running around in a blur talking to a lot of people and thinking, “well, I’ve talked to them so it’s OK”. It’s about how thoughtful that engagement is.

I have worked with a lot of teams that are under-resourced. They cannot cope with the day-to-day activity, let alone take on a strategic role.

Is it their job to work differently? Absolutely it is.

How do they do that? It is really difficult, but you have to have a commitment to do it first.

It is about prioritisation; it is about risk management in its purest sense; it is about identifying where you can put risk safely into the business; and it is about having great outsourcing arrangements with your law firms, so that the law firm is an extension of the internal function.

It all boils down to the quality of people’s influencing skills; their relationship building skills; their ability to negotiate; their ability to understand that relationship management is not about pleasing people. It is about doing the right thing.

What tips can you give to a small company that doesn’t have an in-house legal team and few IT resources?

MS: There is a lot of legal information available but that is a double-edged sword because, for example, the Information Commissioner’s web site is a fantastic repository of information on data protection, but there is always a danger in trying to interpret things for yourself.

That is an example of information that is readily attainable by people who are not legally trained. But that cannot be any substitute, ultimately, for speaking to people who know and have the experience and can interpret those rules in the context of a particular organisation’s issues.

Do we need express consent from clients or customers to incorporate their data into a customer relationship management (CRM) database?

AM: When an IT manager installs a CRM system, he or she needs to be clear about how that system is going to be used.

It is important to talk to the business and make sure the data being collected from customers is entered correctly in the system and accessed appropriately, according to any process that legal teams may have set as a policy.

If a customer has explicitly given consent that their data is going to be used within the organisation for marketing purposes then you can put it into the CRM system. It’s another thing to have a trading relationship with an organisation and then go and market to that customer without their consent.

MS: Data protection legislation in the UK regulates what is known as the processing of personal data, so if the marketing information is personal data, consent is required to collect that data ­ – collection being a facet of processing as defined under the legislation.

People will be familiar with the tick boxes on web sites or forms where they are asked to consent to their information being stored or held or collected, and that is a compliance issue with data protection legislation. Consent is required.

Lawyers know what they want and IT management know what the technology can do. All too often there is a gap between these two positions which neither party feels, because they are too busy doing their own jobs in isolation. Are the regulations, risk and compliance issues sufficiently powerful drivers to close this gap?

LP: The volume and the size of compliance issues are beginning to cause that gap to close. There is a recognition that closing the gap provides an opportunity for organisations to reduce risk and put in place effective measures for their own protection.

PG: If you decide strategy in the middle of a crisis, it is probably bad strategy. What you need is a general counsel and an IT director who are sufficiently aware of the risk that they are prepared to make time, when there is no crisis, to discuss these things and to work out what is in the best interest of the business.

AM: Don’t get confused with business requirements.

Often, IT and legal teams will understand the regulatory requirements but what gets in the mix is someone called the business manager.

They may have different ideas about where they want their process to go. If you can distinguish between pure legal regulatory requirements and the IT controls, then that is where you can get common ground between legal and IT.

MS: New rules, directives and policies are not necessarily the answer.

There has to be communication and the lawyers may know what they want, but it’s a question of what they can have that is reasonable and proportional in the context of litigation.

More communication between lawyers and IT is vital. Lawyers often say they don’t understand IT people and the language they use, and I’m sure IT people say exactly the same thing. We need to cross that language barrier.

To view the full web seminar “Do you know where your data is? How IT and legal teams can work together to address the implications of data protection” visit: www.computing.co.uk/webseminars