Courtney noted that the European Data Protection Act defines personal data as information pertaining to any living individual. The law, which applies to paper and electronic documents alike, specifies rules that regulate the collection of such data for legal purposes.
According to Courtney, the most important aspect of these rules for IT managers relates to the storage and retention of data. In order to comply with the Data Protection Act's regulations, an organization must ensure that personal data is not retained longer than necessary, is not transferred overseas and is kept secure against unauthorized or illegal loss, erasure and processing.
Much of this process can be carried out automatically, Courtney wrote. In many cases, it is possible to set up a storage management solution that deletes files after a specific period of time set by an IT administrator.
Few problems have arisen due to expired data retention periods, according to Courtney.
Many organizations have, however, ended up in situations in which sensitive data was compromised by being copied to portable media, such as USB sticks, external hard drives, laptops and smartphones. When these devices are lost or stolen, private data can fall into the wrong hands, regardless of the data security systems in place on work networks.
To prevent such incidents, Courtney noted that it is possible to deploy logging and auditing tools that keep track of what employees do with the data they have accessed. Furthermore, data can be encrypted, making it difficult for cyber criminals to access information even in the event that they succeed in stealing data.
While new IT practices, such as cloud computing, offer great benefits, they also come with new risks. A recent Return Path survey, for example, indicated that the percentage of emails being accessed on mobile devices is growing rapidly. While this allows greater flexibility, it also increases the chance that sensitive emails fall into the wrong hands.