Compliance, traceability, information security … just a few of the buzzwords that have become part of the vernacular of almost every industry in recent times. Specific industries, such as food and beverage and packaging, have extremely onerous regulatory frameworks in which they operate. As an ERP solution provider, our environmental scanning often raises some interesting questions.
Protection of Information
While “interrogating” ISO 9001 on many different issues, I came across an often-overlooked clause: 8.5.3 Property belonging to customers or external providers. Clause 2 caught my eye – “the organisation shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the product or service” – particularly “protect and safeguard”. What does this mean? The Standard Note showed that it included personal data. Whoa! This is suddenly a huge undertaking that will cost millions.
Currently, there is a growing legal requirement for protection of information, and rightly so. This has led to an explosion of interventions across organisations to protect the information in a reasonably pragmatic and affordable way to comply with the legislation.
I considered the legislation and regulations, and found many references to protection of personal information. Noticeably, EU Directive 95/46/EC: 1995 Directive on Data Protection, the GDPR (General Data Protection Regulation) – Regulation (EU) 2016/679, and the Australian Privacy Act of 1988 (yep, 1988!) with a guideline describing reasonable steps entities are required to take. It was there all along … and for decades.
Information Security Management Systems
Everyone is on the bandwagon now, and every major lawmaker is promulgating new legislation. There are also new protocols, such as the ISO 27000 family, to guide organisations establishing their own Information Security Management Systems. There are also clauses appearing in many other protocols that also address this (as we highlighted above). What of the ISO 9001:2015 accredited organisations that have confidential information, but do not have protocols in place? Due to the extent of this requirement, a workable solution and guideline is needed to assist these organisations. Certainly, the big ERP systems need to be aligned as their systems store the confidential data for millions of consumers.
Where Does the Responsibility Lie?
The conclusion is that the legislation and the regulations has been in place for a long time, and those responsible have not taken note of it, all in our drive to better the world. This needs to be addressed, and everyone is frantically rectifying it, but what should be done to ultimately rid the world of this issue. The consumer will say “Simple. Protect my information.” The ERP giant will say “How? You demand more and more convenience, and each convenience exposes the system to security breaches.”
This triggered a series of questions: Who is ultimately responsible for the protection of the information? Will compliance with a standard or standards fulfil our obligation to the regulators, and our moral obligation to the consumers? Surely, everyone must participate in protecting the information?
Please make sure that you look out for my next blog that will delve into these questions and come up with some possible answers.