Almost two-thirds of small businesses in the West of Ireland have not implemented policies and procedures to ensure compliance with the Data Protection Acts.
Reasons cited for non-implementation of data protection policies range from not having the necessary resources and expertise (18pc), to lack of knowledge of how the Data Protection Acts applies to their business (37pc) and a concern for reducing costs and not implementing new policies (11pc).
Just over half the businesses surveyed (55pc) are familiar with the responsibilities the Data Protection Acts place on their organisation, according to the survey carried out by Galway-based data protection consultancy protectyourdata.ie.
Protectyourdata.ie survey participants
The survey was conducted among 593 businesses operating mainly in the West of Ireland and was targeted to small businesses with one to five employees with more than 65pc of respondents having between one and five employees.
“These figures show that although there is an awareness of the obligations as laid down by the acts, small businesses are unsure how to deal with them,” Eamonn Crawley of Protectyourdata.ie explained.
“This survey highlights the need for additional training and resources for small businesses to help them ensure compliance.”
Survey responses have indicated a good understanding of some of the basic tenets of the Data Protection Acts, with 59pc of respondents aware that they must inform an individual of the purpose of collecting the data and 92pc knowing they can only use the information for the purpose specified when it was collected.
A concern arises with regard to the possible costs associated with compliance and non-compliance with only 26pc aware that the maximum possible fine on an indictable offence is €100,000.
Less than half of the respondents (41pc) are aware of the fact that this maximum fine can be applied to each individual record involved in the offence. Only 34pc realise that they can only charge any individual €6.35 for retrieving their personal data regardless of the expense it puts on them.
Use of encryption technology
One of the biggest surprises given last year’s high-profile theft of four Bord Gais unencrypted laptops is that encryption technology is still not being utilised, with 63pc of respondents saying that there is no encryption policy within their company for laptops, external hard disks and USB memory sticks.
According to Crawley, this figure is close to the figure produced by the KPMG 2008 Data Loss Barometer which showed 62pc of incidents of data loss with removable media involved data with no protection.
“The low use of encryption (33pc) and other new technologies (USB port disabling software – 7pc) lags far behind the use of antivirus software (94pc) and firewalls (78pc). How the figure for antivirus is not 100pc is astonishing considering the ease of availability of such software, some of it free.
"At the very least, antivirus software should be on every PC considering the threat of viruses/Trojans to data on PCs and laptops,” said Crawley.
The survey indicated that 8pc of organisations have had either lost a laptop, USB memory stick or external hard disk or had it stolen. For organisations with just one to five employees, this figure increases to 11pc.
“Although approximately one in 10 organisations will lose one of these devices, only three to four of these 10 use encryption, so the probability of a lost or stolen device having been unencrypted is quite high,” concluded Crawley.
By John Kennedy
Photo: Eamonn Crawley of Protectyourdata.ie