The consequences of failing to keep personal data secure can be serious – the Information Commissioner’s Office (ICO) can impose fines of up to £500,000 for serious breaches, and a security failure can be damaging to an organisation’s brand and reputation.
The General Data Protection Regulation under discussion in the European Parliament (to be introduced later in 2016) is likely to increase significantly the maximum fine which can be imposed – so the time is right to review your systems to make sure you are doing everything you should to look after the personal data which your business holds.
What are the obligations?
Under the Data Protection Act 1998, organisations which process personal data must use “appropriate technical and organisational measures” to protect it from unauthorised or unlawful processing, and against loss, destruction or damage. The legislation doesn’t specify what measures are considered “appropriate”, and there is no “one-size fits all” set of measures which works for all firms and types of data.
Security breaches arise from a wide range of events such as viruses, deliberate hacking attacks, human error and the loss or theft of equipment such as laptops or data sticks. They can also arise when data is accessed by people who shouldn’t have access to that data.
What measures should you take?
In considering what measures are “appropriate” to protect personal data, think about:
- The nature of the information you are aiming to protect; and
- The harm that might result to the individual if their personal data is used improperly, lost or accidentally destroyed.
For example, most businesses hold HR files which might contain information about employees’ health, financial information and even passport numbers. This is extremely sensitive information which could cause significant damage or distress to an individual. The level of protection you put in place should reflect this potential risk. On the other hand, a small database containing names and email addresses of business contacts is still personal data, but the potential effect of its accidental disclosure is much less severe and a lower level of protection may therefore be sufficient.
Read more articles about data:
- A desk liberation that led to a legal security nightmare
- Prison, fines and reputation damage: Cost of bad test data management on financial institutions
- Making the most of data: Why businesses should use data analytics to unlock understanding
Assess the risks and tailor your security measures to provide the highest level of protection to the data which is the most likely to cause harm if is lost, damaged or disclosed. The ICO doesn’t expect every organisation to have state-of-the-art cyber security systems, and the Data Protection Act says that your assessment of the available technologies may take account of the cost of implementing them. But keep your security systems under review in the light of changes in technology and reducing implementation costs.
Organisational security measures
There are operational and managerial arrangements which you can put in place to help protect personal data.
Ensure that the most senior level of management understands the potential business impact of risks relating to data, so that they can manage the risks effectively. It is also worth nominating a senior manager with sufficient authority to take responsibility for the protection of personal data in your organisation, and promote a culture of compliance and security.
Firms should also train employees who handle personal data to ensure they understand the importance of protecting it and have the knowledge and skills to enable them to do so. Also, consider nominating an individual in each department to act as the “champion” of good practice in data protection and security – give them in-depth training in the legal requirements and the practical and operational ways in which your data can best be protected. Ask them to be alert to levels of compliance in their department and to report to you on areas where systems could be improved.
Read on to find out what technical security measures you can put in place.
Share this story