Data protection is not just for “big business” – protecting customer and employee personal data is a key issue for any business or organisation, whatever its size.
Here are some areas for consideration:
The Protection of Personal Data Outside of the Office
Does the information your business have stored about your customers and employees ever go outside your office? For example, do your employees take work home on memory sticks or laptops which might include personal information?
If so, when was the last time your organisation’s personal data handling policies and procedures were reviewed?
Do you have a policy for removable media (memory sticks, laptops etc) that may contain personal data?
Breach of the Data Protection Act
There have been a number of high profile breaches and stinging monetary penalties issued by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act. The most recent of which was a penalty of £150,000 issued to the Nursing and Midwifery Council published on 15th February 2013.
The council had lost three DVDs which contained highly sensitive personal data regarding two vulnerable children. On investigation it was found that the council did not have a policy regarding the encryption of data on removable media devices such as DVDs, whether held at the council offices or in transit.
The ICO found that the council was in breach of the 7th Data Protection Principle that states “Appropriate technical and organisational measures shall be taken against unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
On a practical level, organisations need to have appropriate security policies in place for the use and encryption of removable media such as DVDs, memory sticks and external hard drives. In addition, data processing agreements should be in place with third parties that physically transport such data or process personal data on behalf of the organisation.
But remember, it’s not enough to just have the policies and procedures in place; make sure that your organisation, and any third parties that process personal data on your organisation’s behalf, actually adhere to them.
It’s not just the inconvenience of an investigation by the ICO and possible monetary penalties that businesses need to be sure to avoid; equally damaging is the longer term loss of reputation and harm to your brand that such a breach may cause.