back to article My employer, comply with data protection law? Don't think so – say 3 in 4 office drones

Less than a quarter of staff at businesses in the UK, France and Germany think their organisation fully complies with data protection laws, according to a new study. Cyber security company Sophos commissioned a survey of 1,500 office workers in the three countries and found that 77 per cent of respondents were not confident …

  1. Slowie

    doesn't seem to matter at my wife's place

    They seem to think that even without an employment contract, device policy or a letter waiving her rights, they can freely go through her personal laptop looking at bank statements and such.

    Police seemed to think that section 1 of the computer misuse act (unauthorised access) applied though so just maybe they will learn....

    1. Anonymous Coward
      Anonymous Coward

      Re: doesn't seem to matter at my wife's place

      What is your wife doing with a personal laptop at work and connected to the work network? Most companies that would be a breech of company policy.This is a big part of the problem with BYOD.

      1. Slowie

        Re: doesn't seem to matter at my wife's place

        They couldn't afford one for her role and never got round to buying one when they could. and I agree it should be against company policy but there has to be one for it to break as well

  2. aregross

    In regards to the article, I'd bet that percentage of compliance is less in the US.

    1. Anonymous Coward
      Anonymous Coward

      For sure...

      Here in the US I was constantly having to report my clients on various HIPAA(Health Insurance Portability and Accountability Act) violations. These companies would sling customer data around without any masking or scrambling. I diligently reported it to my corporate security officer, who would write up a report, provide it to the client, who would then not so subtly sweep it under the rug.

      Posting as AC as I still work in the industry...

    2. Gannon (J.) Dick

      Comply with what ?

      I'd bet that the percentage of typhoons in Congress is lower than in Parliament. (Just typhoons, generalized windbags, the numbers are probably comparable)

      Sadly both the US and the UK share only unwritten Boss's Arse Protection Laws.

  3. Khaptain Silver badge

    Compliance .... aaaaaarrrrgrggggghhhhhhh

    Anyone that works for any reasonably large sized corporate structure knows only to well what compliance means.

    1 : Pray that no-one actually looks into the company ERP/Database and find the table that holds the "unencrypted" cards numbers... Shh no-one knows they are there...

    2 : Filling out compliance forms stating that things are 100% secure because the contrary will mean a hell of a lot of work to resolve, improve, modify.....and no sponsoring

    3 : Agree that compliance is necassary but cry about the lack of funds/fte's in order to bring systems up to date.

    4 : That cringing feeling when you see your ISMs number or email address pop up on the screen...

    5 : Hope that your department is not the one that gets picked by the quality control office....

    1. Anonymous Coward
      Anonymous Coward

      Re: Compliance .... aaaaaarrrrgrggggghhhhhhh

      Compliance .... aaaaaarrrrgrggggghhhhhhh

      Amen to that in the Trading Sector

  4. Anonymous Coward
    Facepalm

    > In the UK, the Information Commissioner's Office (ICO) has repeatedly warned organisations to ensure portable devices are encrypted.

    Whereas other members of the government/civil service are concerned about the prevalence of encryption on mobile devices touted recently by Google and Apple.

    I wish they'd make their friggin' minds up.

  5. Anonymous Coward
    Anonymous Coward

    Shadow IT

    "The term "shadow IT" generally refers to the use of applications by employees where those applications have not been approved for use by the IT department or which have not otherwise been obtained in accordance with IT policies."

    Describes my situation pretty well. Been through a couple of corporate takeovers, and a lot of the policies, of the current parent company, are deeply incompatible with our own custom and practice. For example, it would be unthinkable not to be able to snoop/tcpdump and analyse traces in Wireshark (it's a core activity of this particular professional services outfit)*. Google on these subjects, on the corporate lan, and many of the results would be inaccessible (Websence reason: hacking). There's a grudging acceptance, from both sides (since the business unit that "isn't core" turns a profit and looks after itself).

    I don't think the disconnect I describe is particularly abnormal.

    * Caveat: with our first world customers, there's paperwork (and it's important to comply - it's you who uncoupled end up behind bars). With customers outside Europe/US, it's often a little less formal.

  6. ukgnome

    You can't do that

    its against data protection laws.....

    I'll bite, paragraph and subsection is always my reply. That's because almost everyone doesn't actually know what the DPA is. Heck, I've worked in so many environments were I need to know and I refer back to various law sites.

    It comes as no surprise that most offices fail, as most people in offices learn about data protection from a business trainer that parrot fashions something that sounds similar to it.

    1. Alistair
      Coat

      Re: You can't do that

      I'll agree with UKgnome. 99% of the "compliance issues" I've seen have had nothing to do with actual legal compliance, mostly "But our security people said......" compliance. That said, there are unfortunately some security types that have been handed a mandate, and thus have become bulls in the proverbial china shop.

      On the other side, I've mined data out of application transaction streams that was blatantly clearly violating essential security rules and had the app team come back with "Oh, no, there is no such data in our application, you must have seen something else." For MONTHS after the fact. Only to have the DSS third party analysis agree with my findings.

      Most of the Sysadmins I've met have the little grey cells to read the law so that they have a chance. Few of them are willing to stand up and wave the document around, I suspect due more to the current atmosphere in IT than anything else.

      I'm seeing more "dont rock the boat" attitude lately than I've seen in years and I'm not 100% sure *why*.

      Mines the one on the far side of the canoe, hold on while I stand up and grab it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like