Data Protection is an issue that affects all organisations. If not handled properly, it can be extremely damaging for the company’s reputation and their relationship with customers. Data loss can incur significant financial penalties. For example, take a look at Sony who was fined £250,000 by the ICO this month following a “serious breach” of the Data Protection Act, as reported by the BBC.
The EU Data Privacy Day (celebrated today, January 28th 2013) is a reminder of how important data protection is for the well-being of businesses and individuals alike. Tune in to our webinar this afternoon on ‘The Changing Data Protection and Privacy Landscape’, presented by DPA expert, Ralph O’Brien. Register here >>
The following data protection tips from the IT Governance Consultancy Team are based on best practice guidelines and practical experience. They are simple to implement but will make a difference to you and your company in terms of improved data protection management.
Gain a basic understanding of the Data Protection Act
Unfortunately in many organisations there is a lack of understanding of the Data Protection Act 1998 (DPA). In some cases this can be at senior management level, affecting the whole organisation. It is therefore imperative for business leaders to familiarise themselves with the eight DPA principles for the business, and for staff with the six principles for the individual. So, if you occupy a senior management position or are responsible for data protection, you should book onto a DPA Foundation Training Course which will develop your knowledge through expert teaching, workshop discussions and planned exercises.
Engage with the ICO
The Information Commissioner’s Office (ICO) is a UK independent authority, set up to uphold information rights in the public interest. It looks kindly on those organisations who are trying their best when it comes to data protection, rather than with those who bury their heads in the sand. Subscribe to the ICO’s newsletter to keep up-to-date with upcoming changes and news.
Know where your Personal Identifiable Information (PII) is stored
One of the basic tenets of protecting personal identifiable information (PII) is knowing where in your systems it is stored. If you do not know where the information to be protected is located, then it is impossible to provide adequate protection. One of the dangers is end-user computing. This is where users who have created their own spreadsheets, macros and programmes to manipulate data exported from databases, result in sensitive information being stored in unknown, unsecured locations.
Be aware who inside your company sees your data
A key control on protecting the privacy of data is access control, ensuring only those who have a business need to access the data and have the relevant rights. Your IT administrators do not always have a business need to access financial and HR records for example, nor does everyone in your company need the same level of access. Do call centre operators really need the access to delete or modify data records?
Have a clear policy on personal data protection
Having a clear policy on your organisation’s commitment to data protection is essential, but you need to ensure that your staff is aware of it and understand it. One effective means of conveying data protection messages and educating staff in data protection best practice is by deploying DPA staff awareness e-learning. This highly effective and cost-efficient method will also help you meet compliance and regulatory requirements.
Ensure crisis communication data is also covered in your overall data protection policy
Crisis communication data usually includes home telephone numbers and addresses of next of kin. All of this data can be managed securely in an organisation’s own network, but to make it is available in the event of major incidents, it often needs to be accessible via external systems as well, increasing the risk of violation of data privacy. Apart from obtaining individuals’ consent for it to be held for this purpose and minimising the amount of data held, it is important to use the most secure (digital) platform possible.
Control media and mobile devices, including BYOD
If you look at past data breaches, it becomes obvious that mobile devices such as USB sticks, laptops, tablets and mobile phones have contributed significantly to data loss. Your data protection policy should include a clause on the use of mobile devices, whether corporate or BYOD. The use of encryption software with staff awareness training is a must!
Ensure water-tight contracts with third parties
If outsourcing any work related to personal data, make sure there are water-tight contracts in place. It is important that you are aware who has the ultimate responsibility of the protection of the data and specify this in the agreement.
Remember to register for our free webinar this afternoon on ‘The Changing Data Protection and Privacy Landscape’, Starting at 16:00 GMT, Ralph O’Brien will take you through the changes to legislation, the ICO and your organisation’s obligation to comply. Register here >>