Security of personal data are you complying with your obligations

Put in place clear policies covering all aspects of information security, making sure that your staff are aware of them and understand them. Give a senior manager responsibility for maintaining the policies and keeping them up to date.

Similarly, firms needed to put in place appropriate asset management systems so that you know what data you hold, the hardware on which it is stored and the software which is used to process it. And at the same time, bosses should consider the physical security of premises and whether it is appropriate to have separate security zones for important data storage areas such as server rooms, so that they can only be accessed by authorised staff.

Technical security measures

Technical security measures should be tailored to the size and complexity of your organisation. Consider the following:

Make sure that you remove all personal information from old IT equipment before you dispose of it, either by using specifically designed software or by destroying the hard drive. Installing anti-virus, anti-spyware and firewall software and ensuring that they are kept up to date is also key to keeping cyber threats at bay.

Make sure your operating system is up to date and has the latest security patches and carry out regular back-ups of your data and locate them securely in another location if possible. Also, make sure that your staff use suitably complex passwords and change them regularly.

Staff also need to be aware of the risks of using email. A large proportion of security breaches arising from human error happen as a result of sending emails to the wrong recipient or with the wrong attachment.

Finally, encrypt sensitive personal data. This is particularly important for sensitive information on portable devices used by staff who travel or work from home. If a laptop containing significant quantities of unencrypted sensitive data is lost or stolen from the back seat of a car, there is a strong possibility that you will be fined.

Be prepared for a breach

Even with the best systems in place there is always potential for a data security breach. The key is to be ready to act swiftly and efficiently to limit the damage, and to recover lost or damaged data where possible. You will want to investigate what went wrong and make improvements to your security measures. You may also need to inform the individuals whose data has been lost or disclosed, especially if that will help them limit the harm caused to them (for example by changing passwords). 

Informing the ICO is not yet mandatory in the UK, but the Commissioner certainly expects to be told about the more serious breaches, and may be able to assist. The new European regulations are expected to make reporting of all breaches mandatory. If you put in place a clear policy which sets out how you will manage any breach in the most effective way, then you can put yourself in the best possible position to respond efficiently if the worst happens.

Another issue in the past couple of months that may potentially cause a lot of complications is the implications for cloud compliance of the recent nullification of the EU Safe Harbour Ruling.

Mark Heather is a director at Proteus Solutions.

Image: Shutterstock

Share this story

Send this to a friend