No one would argue that data protection is important — the Yahoo breaches, among many others, show just how serious the consequences can be for a business. But when it comes down to it, it can seem like data protection is one of those things that only bigger businesses need to worry about. After all, you’re not keeping massive databases of customer data, or holding anything that would leave you liable for data protection violations, right?
Actually … probably wrong.
It’s almost certain that you’re holding some type of data that you need to protect to be in compliance with the Data Protection Act. Unless you never use a computer in your small business, are only collecting information for private use, like a private address book, or are an exempt non-profit, you are likely to have to comply with the Data Protection Act.
OK, that sounds like a big deal. What does it actually mean?
It is important — breaches of the Data Protection Act are punishable by fines of up to £500,000. But it’s not that difficult to keep your business in compliance. The first thing you need to do is figure out whether you need to register with the Information Commissioner’s Office. They have a self-assessment here that can help you determine whether you need to register or not. You can then register with the ICO as a data controller.
What do you need to do as a data controller to protect customers’ data?
There are lots of specifics on the ICO’s site, but these are the broad strokes you can take to avoid a data breach:
— Basic computer security.
This includes things like making sure you have firewalls and virus scanning software, and anti-spyware programmes on your computers, and keeping them up to date. You should also make sure that your computers are set to update themselves to the latest operating systems automatically to avoid leaving them open to vulnerabilities that have been fixed in newer versions.
Along the same lines, consider encrypting personal information, and keep backups of everything so you don’t lose the data in case a breach does happen. Change your passwords regularly, and don’t let staff share passwords.
Of course, computer security also includes being aware of how email is used in your organisation. Depending on the type of data you’re sending, you may want to have an encryption key on your email. And — although it sounds like common sense — do be careful with things like sending emails to the wrong person and avoiding sharing sensitive information on group emails.
— Premises security.
The best computer security measures in the world are useless if you have issues with physical security at your business. Make sure that you have up to date locks and alarms at your premises, and consider using a CCTV system. (Although that will be another source of data that you’ll need to protect as a data controller.)
Also consider ways that you can protect the data you collect by the positioning of your computers. For instance, you may want to face computer screens away from windows where people could look in and see confidential data; or if you have a CCTV monitor running, you could move it so that only security staff can see it.
Finally, make sure you’re secure when you dispose of waste. A lot of times data isn’t stolen electronically; it’s taken from old hard drives or papers that have been dumped in the trash. There are services that will securely dispose of old equipment, and it doesn’t take a lot of effort to shred any documents that have data on them.
— Training your staff.
It makes sense that you should train your staff to follow the security protocols you put in place for the security of your computers and premises, but you should also make sure that they can recognise other potential data risks.
One common way that data breaches happen is through social engineering, which is manipulating people into revealing data or ways to get at data. This is why it’s really important to train your staff to be able to recognise situations in which a person may be trying to use them to get data.
Finally, make sure your staff know what kind of information they need to be collecting and how to manage it appropriately. Consider creating a checklist for your business with the type of information your staff need to collect, in what circumstances they can share it, and what they should do if someone is asking them to share information that they can’t legally share. This is a good place to start.
The long and the short of it is…
A lot of data protection comes down to common sense. But it’s also one of those things that tends to slip down your priority list until a breach happens and it becomes a huge issue. With a little preparation, you can easily create policies and practices to keep your customers’ data safe — and your business compliant.