Data Protection is a serious issue. In the UK, the Information Commissioner can fine
organisations up to £500,000 for repeated breaches of data security caused through broken business practices. Yet data security guidelines are far from prescriptive about what
should be done to provide adequate protection for your organisation's confidential data, so what should small business owners do to ensure that they stay on the right side of data protection legislation and protect their own interests?
The UK Data Protection Act
If you hold personal information about individuals, you have a number of legal obligations to protect that data under the Data Protection Act of 1998. For full information on the 1998 Data Protection act, you should visit the web site of the Information commissioner
http://www.ico.gov.uk, but the eight principles for data protection can be summarised as follows:
- You must have legitimate grounds for collecting the data.
- You must only process the data in a way that is in the person’s best interests.
- Tell people what you will do with their data when you collect it.
- Only process the data in a way that the person would expect.
- Don’t process the data illegally.
- Only collect the information that is necessary.
- Make sure that the information is accurate and kept up to date.
- Don’t keep the information for any longer than you need to.
- Take appropriate technical and commercial measures to protect the information.
- Do not transfer personal information outside the EEC unless it is to a country that ensures that sufficient protection is undertaken to ensure the rights and freedoms of the person concerned
Whilst protection of personal data is of paramount importance, it is not the only consideration. Your should always consider the “Three R’s” when considering data security, backup and Business Continuity Planning.
- Riches - What is the data that will make you rich? The most valuable information for many small businesses is their intellectual property. How should you protect your company’s “crown jewels” against a data breach or “catastrophic” IT failure.
- Ruin - What is the information that could cost you your business? If you are a law firm and expose data relevant to an ongoing court case by dropping a USB device on public transport, the loss of reputation could cost your firm dearly. The same principle applies to numerous other professions and professional services organisation where the cost of implementing appropriate data security measures is a tiny fraction of the cost of a breach to your business.
- Regulation - What information are you obliged to protect by industry regulation (such as credit card information), and what measures are stipulated for its protection.
For many large organisations, the biggest problem that they have is finding out where all of their
valuable data is. For small companies however, there is a greater imperative to ensure that staff are
made aware of their duties with respect to confidential information including what they can and can’t do. Technical measures should also be taken to protect confidential information by restricting access to your network, and ensuring that appropriate measures are put in place for data backup and encryption where necessary.
Data Security Best Practices
There is no “magic bullet” when it comes to protecting your company’s data since no two companies are exactly alike. From an IT perspective however, the most important considerations are to:
- Recognise which information is important to you, and find out where it is.
- Ensure that your important data is backed up properly, and these days that probably means using some form of off-site backup
- Protect confidential data on laptops using whole disk encryption software, and on USD / CD etc using file encryption. If a USB drive / laptop is lost or stolen, it is difficult to prove that no personal data has been exposed unless it has been encrypted, so why run the risk? Data Leakage Prevention (DLP) software can also be used to monitor and optionally prevent confidential information being sent outside the organisation using unmanaged communication channels such as Webmail or Dropbox.
The ultimate responsibility still lies with you to educate your employees to handle your company data responsibly so that you can eliminate the unintentional human errors that are the cause of the majority of data security incidents.
If you would like to know more about data backup, data encryption and
IT security products and services available from Clearview Data Systems, or about our IT support services, please
visit our web site, call us on 01707 255060, or email us at info@clearview.co.uk.
No comments:
Post a Comment
Do you have a burning "How do I do that?" IT question that you need an answer to? Post it here and one of our engineers will answer it if they can. If we can't, we will get back to you and let you know nonetheless.