Data protection law originally came into being as a reaction to the misuse of personal data by totalitarian regimes before and during WW2.
It is intended to strike a balance between the rights of individuals to privacy and the capacity of businesses, organisations and governments to use personal data for their own purposes.
The computer and the internet have made it much easier and quicker to store, transfer and process personal data and have therefore exposed personal data to greatly increased risk of misuse, loss and theft. The EU and national governments have in response introduced a series of laws and regulations culminating in the General Data Protection Regulations (“GDPR”) which will become law in the UK in June 2018 regardless of the Brexit vote.
The GDPR brings with it significant changes including mandatory breach reporting and very heavy fines. Information security is an organisation wide risk which necessitates physical and organisational as well as technical security measures.
Complying with both existing data protection law and the GDPR cannot therefore be sole responsibility of the IT team but must, rather, be treated as an issue for Risk Managers to address and control.