Whether it’s details about clients, employees, or the business itself – most businesses today will have some form of data to store. Whilst the idea of trawling through endless lever arch files in huge rooms reminiscent of something out of Harry Potter sounds thrilling, it’s most likely that these companies will be storing such data electronically. In an increasingly tech-focused era of business this certainly makes life easier for companies, yet can also carry some serious risks if your data storage isn’t up to scratch.
Data protection has certainly been a hot topic recently; not only with emergency data laws being pushed through Parliament this year and Edward Snowden pushing for increased debate about cyber security, but also The Racing Post’s recent run-in with the Information Commissioners Office.
In October 2013 677,335 accounts had their security compromised after a breach of the company’s database that included information such as customer names, addresses, dates of birth and telephone numbers. Following an investigation the ICO found that whilst The Racing Post weren’t just leaving data lying around as they did have security systems, these systems weren’t up to date with the relevant ‘security patches’, and so the company have recently signed a commitment to improve their security practices for IT.
What you need to do
Although the majority of companies storing their data online will have some form of security practice in place, technology is developing so fast that there’s barely ‘a day without a company being the target of an online attack’ according to the ICO. Therefore, in order to make sure your security practice is up to date we’ve put together some advice for what companies, whether big or small, should be doing to ensure the best protection for their client data.
First things first, if you’re storing data you must register with the Information Commissioners Office so that Data Controllers can declare what information will be stored and how.
2. Get yourself familiar with the Data Protection Act
Once you’re registered, make sure you get some legal advice to get an understanding of the Data Protection Act. This governs the collection and storage of personal information, and the possible abuse of these systems. Everyone responsible for using data has to follow strict rules called ‘Data Protection Principles;
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
- Also, if your business is storing more sensitive information, such as ethnic background, political opinion, sexual health, criminal records and religious belief, you will need stronger legal protection for these
3. Risk Evaluation
Take a lesson from The Racing Post, and regularly make sure your data security systems are up to scratch! With the constant development of technology, there’s always going to be a new risk. So, make sure you carry out risk evaluation regularly to ensure the correct security systems are in place
4. Back up back up!
Backing up or copying essential data is a must. Not only is losing essential client data a huge administrative nightmare, but these slip ups can cost you a lot in security. Plus, having to ask your customers names and addresses because you ‘lost them’ won’t exactly send the best message.
Who’s doing the telling off?
Not only do data breaches carry a huge risk for your clients and your reputation, but they can also carry the risk of an expensive ‘telling off’.
Although some companies, namely those acting for national security reasons or domestic purposes, are exempt from the Information Commissioners Office, most are at their mercy as this body acts as the watchdog for data protection. The ICO is certainly someone you won’t want to get on the wrong side of – their main options of sanction include issuing undertakings, serving enforcement notices, conducting audits, issuing monetary penalties of up to £500,000, and even prosecution. Take the examples of Sony and Zurich; the Sony data hack in January 2013 saw them fined £250,000 and the Zurich hack in 2010 saw them fined a massive £2,275,000 after the loss of 46000 records…ouch.
Whilst these examples are pretty extreme, the constant emergence of new threats to data privacy mean that companies, big or small, need to be up to date with their security features.
Contact Hybrid Legal today for your free consultation – we can make sense of the Data Protection Act for you, to set out your obligations in a clear and simple way to make sue your company is on the right side of data developments.