Possibly your most valuable business asset is the data you generate. It can be both confidential and commercially sensitive; it may contain financial or health records of individuals, trade secrets, customer records and company financial information.
You certainly wouldn’t want to lose it, and most likely don’t want others to see it without being authorised to do so for fear of adverse publicity, or worse, prosecution.
Smaller organisations should also consider the risks at stake. For example, remote working is a prime area of concern together with employees using their own devices, both of which offer potential hackers a wider scope within which to attack a business.
So how can you protect your data?
There are a number of steps you can take from protecting the company’s legal rights to data, backing up your electronic data, and ensuring that you have effective company policies and procedures in place.
- Consider the types of data you hold and where they sit within the business. It may be worth performing an audit to establish how much data you have and what information is likely to need greater protection.
- Most of your business information may be confidential, but how much of it is truly commercially sensitive? Consider using copyright or trademark as a way of protecting your intellectual property where you have new and commercially viable ideas or to protect a logo. Appoint a member of staff to act as a ‘gatekeeper’ to control the disclosure of and access to confidential information, whether it be electronic or paper based and ensure you have appropriate contractual protection with your employees, contractors and other third parties.
- Employee data will be caught by the Data Protection Act 1998, as may some of your customer data. If you hold sensitive personal data (e.g. health records) you will have increased compliance obligations. As well as keeping this data safe, you need to ensure it is accurate and up to date and have the facility to respond to individuals who wish to exercise their rights under the Act. Also, and importantly, new data protection law will become effective next year which imposes greater compliance obligations on all organisations who collect and process data for which organisations should begin preparing now.
- Information security is fundamental to ensure business continuity and minimise risk, as well as being legally necessary to protect personal data. Organisations need to take ‘appropriate technical and organisational measures’ to protect personal data. Although not specifically cited, encryption is an effective way of achieving this. Other considerations include a review of any cloud storage provisions, knowledge as to where there is data stored and appropriate contractual safeguards.
- Perhaps one of the most effective methods of protecting data is to educate staff. Implementing training and introducing appropriate policies and procedures, together with warnings as to the personal liabilities for staff should they breach confidentiality provisions will prove invaluable in achieving maximum possible protection.
- Check your company insurance - a company which is highly dependent on its data and concerned about its contractual exposure for loss may wish to obtain insurance against any loss of its own or third party information
Finally, any measures undertaken will need to be implemented across a business and will require buy-in from all departments, particularly IT and risk management, with strong endorsement from senior management to ensure that a culture of risk awareness is promoted throughout the organisation.
If you would like more information on this topic or to see how we can help protect your data, please contact firstname.lastname@example.org