The need for software licencing conformance has I suppose always been there. There are a surprising number of so called reputable companies who do not pay the full amounts due on software licences, the common one being expanding the number of users without increasing fees relatively.
This applied to systems such as TP monitors and data base management systems, but it became a far more significant problem when numbers of PCs became involved. The chaotic use of PCs, with all the infighting between business managers and IT departments, lead to the random installation of machines, with little or no control of the software. Since these were usually networked to a server, it was easy to get a copy of an application without reporting it and thus without paying licence fees. Most companies have a legal policy and most now have some means of better controlling and monitoring PCs and their use, but there are still many loopholes. In fact there are probably far more instances of users being unaware that they are using unlicenced software than there are of deliberate use of illegal copies, but ignorance is no defence and they are equally guilty.
Given the scale of the PC problem the leading vendors initiated the formation of BSA, an organisation which can ask any one to show proof of having paid appropriate licence fees and who will initiate legal action against anyone found in default.. In practice this proves impossible in the fragmented domestic and SOHO markets but can, and is, active in the corporate world. This then is the incentive behind any medium to large scale company to pay good money to have the legality of their licencing evaluated independently, before BSA arrives.
The next big thing after software licencing was checking conformance with the Data Protection Act. There is general consensus over this in the Western World, although there are some differences from country to country, causing a few extra problems for companies with global employees. However the rules are well defined and the conformance testing methodology developed for licencing has been expanded to cover data protection. Thus any company can pay the appropriate fee and have the audit performed. There are then many consultancy organisations who will implement any changes needed to cover any problems identified in the audit. The data protection authority will always be reasonable and they appreciate that changes to databases, etc. cannot be implemented overnight. Thus the mechanism for data protection conformance is just as effective as for software compliance.
But there is a snag. The threat of serious legal action to be brought by BSA is very frightening and since it can be directly applied to company directors, the board has sufficient incentive to spend money to check conformance so that they can sleep at night! But the actual threat posed by the data protection authorities is nothing like as fierce. There are so many loose interpretations, so many angles that could be exploited that it would have to be something serious before the law moves in. And such companies aren’t about to apply "health" check-ups in any case. The bottom line then is that while most companies have some conscience about data protection, it is rather left to the normal run-of-the-mill operations to sort out, rather than pay for a separate independent audit.
This however is a really big mistake. While the law is not able to wield a heavy stick, the customers are! First is the obvious impact of customer loyalty. Once their secrecy has been violated, they loose trust and will spread the bad word readily. But there is an even bigger threat in today’s world, the threat of being sued for "compensation". This may have been a small consideration even a year ago, but there is a new and unpleasant attitude prevalent now. The hackers are a sign of this "couldn’t care who gets hurt" attitude, but the worst is the law firms who have set their stall to sell services to encourage users to try to benefit from problems. People who suffer should of course be compensated, but it is the scale of it today that is frightening; there are incessant TV adverts encouraging the naive to try and exploit misfortune, and this will find its way into data protection. A formal health check won’t stop the legal sharks, but it will certainly help to limit their influence!
