Did you know that The Information Commissioner’s Office (ICO) can enforce fines up to £500,000 to anyone who fails to handle “personal data” in accordance with the Data Protection Act (1998) principles?
Companies are legally required to have security procedures in place to ensure that any personal data belonging to customers or employees is stored securely and without risk of being lost or stolen.
From May 2018, the maximum fine will rise to €20 million when the EU General Data Protection Regulation (GDPR) comes into force.
Why protect your business data?
Data, in all its forms, is the key to a successful business. Data helps establish strategy, assures appropriate billing, keeps records and a myriad of other essential tasks. Without data, business can be hard to manage and may even fail. So, protecting data is nothing less than a strategic priority.
A survey by Rubicon Consulting showed that, of the companies that lost data, approximately one-third lost sales, 20% lost customers and 25% claimed the data loss caused severe disruptions to the company. Even a small breach of information security can cause major reputational damage. On top of that there will be a fine that needs paying.
How could you lose your business data?
Human error accounts for around a third of all data loss. This includes intentional or accidental deletions of files, loss or corruption of backup files, re-direction of funds, customer details or sensitive company information.
The Serious Crime Directorate from Kent Police have shared this example to demonstrate the impact of data loss.
“A company had a disagreement with their senior IT employee. This resulted in the company dismissing the employee and as a parting shot telling him he would not be paid anything further by them.
The company however did not take swift action in removing the now ex-employee from their network, as such within a day he had gained remote access to their system and destroyed key files required to operate their business and corrupted the backup files.
Although the suspect was arrested and is currently on bail, this does not retrieve those files back for the company and they are only now, some 3 months later, starting to operate more smoothly.”
System glitches account for around a quarter of information loss. Keeping a tight rein on remote access, wireless networks, open source coding and uploading of software must be closely controlled. Viruses and data corruption are common issues to be addressed.
Natural disasters are of course less common, but more frequent issues include fire, theft (be it physical media or the hacking of networks) to a lightning strike causing a knock-on effect of damaging your hardware.
What level of security is required?
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
– Data Protection Act 1998
In practice, this quote means that you must have ‘appropriate security to prevent the personal data you hold being accidentally or deliberately compromised’.
The Act doesn’t define “appropriate”, but it does say that an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved.
The Act doesn’t require you to have state-of-the-art security technology to protect the personal data you hold, but you should regularly review your security arrangements as technology advances. There is no “one size fits all” solution to information security, and the level of security you choose should depend on the risks to your organisation.
Data Security Tips
The ICO have a comprehensive list of tips that organisations can use as a starting point to make sure that any personal information it has is held securely.The ICO recommend to:
- Install a firewall and anti-virus software on computers.
- Upgrade to the latest, and safest operating system.
- Protect your computer by downloading the latest patches and security updates, which cover vulnerabilities.
- Install anti-spyware software to protect against secretly installed software aimed at stealing private information.
- Encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen.
- Only allow your staff access to the information they need to do their job and don’t let them share passwords.
- Take regular backups of the information on your computer system and keep them in a separate location.
- Remove all data before disposing of computers (by using specific technology or destroying the hard disk).