The consequences of failing to keep personal data secure can be serious – the Information Commissioner’s Office (ICO) can impose fines of up to £500,000 for serious breaches, and a security failure can be damaging to an organisation’s brand and reputation.The General Data Protection Regulation under discussion in the European Parliament (to be introduced later in 2016) is likely to increase significantly the maximum fine which can be imposed – so the time is right to review your systems to make sure you are doing everything you should to look after the personal data which your business holds.
What are the obligations?Under the Data Protection Act 1998, organisations which process personal data must use “appropriate technical and organisational measures” to protect it from unauthorised or unlawful processing, and against loss, destruction or damage. The legislation doesn’t specify what measures are considered “appropriate”, and there is no “one-size fits all” set of measures which works for all firms and types of data. Security breaches arise from a wide range of events such as viruses, deliberate hacking attacks, human error and the loss or theft of equipment such as laptops or data sticks. They can also arise when data is accessed by people who shouldn’t have access to that data.
What measures should you take?In considering what measures are “appropriate” to protect personal data, think about:
- The nature of the information you are aiming to protect; and
- The harm that might result to the individual if their personal data is used improperly, lost or accidentally destroyed.
- A desk liberation that led to a legal security nightmare
- Prison, fines and reputation damage: Cost of bad test data management on financial institutions
- Making the most of data: Why businesses should use data analytics to unlock understanding
Organisational security measuresThere are operational and managerial arrangements which you can put in place to help protect personal data. Ensure that the most senior level of management understands the potential business impact of risks relating to data, so that they can manage the risks effectively. It is also worth nominating a senior manager with sufficient authority to take responsibility for the protection of personal data in your organisation, and promote a culture of compliance and security. Firms should also train employees who handle personal data to ensure they understand the importance of protecting it and have the knowledge and skills to enable them to do so. Also, consider nominating an individual in each department to act as the “champion” of good practice in data protection and security – give them in-depth training in the legal requirements and the practical and operational ways in which your data can best be protected. Ask them to be alert to levels of compliance in their department and to report to you on areas where systems could be improved. Read on to find out what technical security measures you can put in place.
Share this story