Business Law & Compliance
Security of personal data – are you complying with your obligations?
9 min read
10 February 2016
Most business leaders are aware that they have obligations to protect the personal data of their staff, customers and other individuals whom they deal with. But understanding the real operational implications of those obligations isn’t always easy in practice.
The consequences of failing to keep personal data secure can be serious – the Information Commissioner’s Office (ICO) can impose fines of up to £500,000 for serious breaches, and a security failure can be damaging to an organisation’s brand and reputation.
The General Data Protection Regulation under discussion in the European Parliament (to be introduced later in 2016) is likely to increase significantly the maximum fine which can be imposed – so the time is right to review your systems to make sure you are doing everything you should to look after the personal data which your business holds.
What are the obligations?
Under the Data Protection Act 1998, organisations which process personal data must use “appropriate technical and organisational measures” to protect it from unauthorised or unlawful processing, and against loss, destruction or damage. The legislation doesn’t specify what measures are considered “appropriate”, and there is no “one-size fits all” set of measures which works for all firms and types of data.
Security breaches arise from a wide range of events such as viruses, deliberate hacking attacks, human error and the loss or theft of equipment such as laptops or data sticks. They can also arise when data is accessed by people who shouldn’t have access to that data.
What measures should you take?
In considering what measures are “appropriate” to protect personal data, think about:
- The nature of the information you are aiming to protect; and
- The harm that might result to the individual if their personal data is used improperly, lost or accidentally destroyed.
For example, most businesses hold HR files which might contain information about employees’ health, financial information and even passport numbers. This is extremely sensitive information which could cause significant damage or distress to an individual. The level of protection you put in place should reflect this potential risk. On the other hand, a small database containing names and email addresses of business contacts is still personal data, but the potential effect of its accidental disclosure is much less severe and a lower level of protection may therefore be sufficient.
Read more articles about data:
- A desk liberation that led to a legal security nightmare
- Prison, fines and reputation damage: Cost of bad test data management on financial institutions
- Making the most of data: Why businesses should use data analytics to unlock understanding
Assess the risks and tailor your security measures to provide the highest level of protection to the data which is the most likely to cause harm if is lost, damaged or disclosed. The ICO doesn’t expect every organisation to have state-of-the-art cyber security systems, and the Data Protection Act says that your assessment of the available technologies may take account of the cost of implementing them. But keep your security systems under review in the light of changes in technology and reducing implementation costs.
Organisational security measures
There are operational and managerial arrangements which you can put in place to help protect personal data.
Ensure that the most senior level of management understands the potential business impact of risks relating to data, so that they can manage the risks effectively. It is also worth nominating a senior manager with sufficient authority to take responsibility for the protection of personal data in your organisation, and promote a culture of compliance and security.
Firms should also train employees who handle personal data to ensure they understand the importance of protecting it and have the knowledge and skills to enable them to do so. Also, consider nominating an individual in each department to act as the “champion” of good practice in data protection and security – give them in-depth training in the legal requirements and the practical and operational ways in which your data can best be protected. Ask them to be alert to levels of compliance in their department and to report to you on areas where systems could be improved.
Read on to find out what technical security measures you can put in place.
Put in place clear policies covering all aspects of information security, making sure that your staff are aware of them and understand them. Give a senior manager responsibility for maintaining the policies and keeping them up to date.
Similarly, firms needed to put in place appropriate asset management systems so that you know what data you hold, the hardware on which it is stored and the software which is used to process it. And at the same time, bosses should consider the physical security of premises and whether it is appropriate to have separate security zones for important data storage areas such as server rooms, so that they can only be accessed by authorised staff.
Technical security measures
Technical security measures should be tailored to the size and complexity of your organisation. Consider the following:
Make sure that you remove all personal information from old IT equipment before you dispose of it, either by using specifically designed software or by destroying the hard drive. Installing anti-virus, anti-spyware and firewall software and ensuring that they are kept up to date is also key to keeping cyber threats at bay.
Make sure your operating system is up to date and has the latest security patches and carry out regular back-ups of your data and locate them securely in another location if possible. Also, make sure that your staff use suitably complex passwords and change them regularly.
Staff also need to be aware of the risks of using email. A large proportion of security breaches arising from human error happen as a result of sending emails to the wrong recipient or with the wrong attachment.
Finally, encrypt sensitive personal data. This is particularly important for sensitive information on portable devices used by staff who travel or work from home. If a laptop containing significant quantities of unencrypted sensitive data is lost or stolen from the back seat of a car, there is a strong possibility that you will be fined.
Be prepared for a breach
Even with the best systems in place there is always potential for a data security breach. The key is to be ready to act swiftly and efficiently to limit the damage, and to recover lost or damaged data where possible. You will want to investigate what went wrong and make improvements to your security measures. You may also need to inform the individuals whose data has been lost or disclosed, especially if that will help them limit the harm caused to them (for example by changing passwords).
Informing the ICO is not yet mandatory in the UK, but the Commissioner certainly expects to be told about the more serious breaches, and may be able to assist. The new European regulations are expected to make reporting of all breaches mandatory. If you put in place a clear policy which sets out how you will manage any breach in the most effective way, then you can put yourself in the best possible position to respond efficiently if the worst happens.
Another issue in the past couple of months that may potentially cause a lot of complications is the implications for cloud compliance of the recent nullification of the EU Safe Harbour Ruling.
Mark Heather is a director at Proteus Solutions.