Data protection – are you protected?
How confident are you that your business’s data is safe from hackers or carelessness on the part of your users? What are the penalties for getting it wrong? How can you minimise the risk of data loss?
Most businesses rely heavily on personal data relating to clients, prospects and other stakeholders. But many organisations face serious challenges regarding the capture, processing and securing of this information.
What are the penalties for getting it wrong?
Both the risks and the likely penalties for suffering a data loss are increasing. The Information Commissioner (ICO) stated recently that organisations need to rethink their approach to data protection and is backing up this warning with decisive action. In total, 36 organisations were collectively fined £2 million in 2016, up from nine fines totalling £668,500 two years earlier. You have been warned!
The difficulty for many SMEs is that they typically have limited financial resources and relevant expertise, and the focus is almost certainly on the provision of services. But none of that will count as mitigating factors if you suffer a data breach or use personal information inappropriately.
How are the rules changing?
All personal data held by any organisation for any purpose is governed by the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). However, there is a new EU Directive, the General Data Protection Regulation (GDPR), which is due to come into force on 25 May 2018. The ICO has described the GDPR as “a game changer for everyone” that brings “a more 21st century approach to the processing of personal data”. The GDPR increases the size of the fines that can be levied in the event of a data breach or non-compliance with the Directive to as much as 4% of the annual worldwide turnover of an organisation or €20 million (whichever is the greater). This is enough to put many SMEs out of business.
What can you do?
There are a number of steps you can take to minimise the risk of your business suffering a data loss or using information inappropriately:
- Security and confidentiality of data must be at the heart of your IT decision-making, not just an afterthought
- Ensure you have explicit consent for storing and using any personal information for the specific process you wish to use it for
- Encrypt confidential data. The ICO has said categorically that it will not accept any excuse for a data breach if the data were not encrypted, regardless of any other measures in place
- Make sure you know what data you’re capturing, where it is stored and how it is protected. Take particular care before entering into agreements with third-parties for data storage and processing, such as specialist emailing services or outsourced data centres. Remember that you are responsible for your data at all times, regardless of where it is located or who is processing it
- Ensure you have well-defined policies and procedures that are communicated regularly to all relevant personnel regarding both the security and use of personal information
- Commit to an independent review of your measures and policies on at least an annual basis to identify issues and gaps
- As a general rule, don’t do anything with data unless you are certain that it is appropriate and secure to do so.