Information Security : Are you compliant?
Every day your organisation produces and consumes vast amounts of information from clients, partners, employees and other stakeholders. Managing payroll, analysing cash flow and keeping track of suppliers, are just some of the tasks you manage every day that are critical to your success. The information these tasks generate is likely to be sensitive and must be managed accordingly to prevent security breaches. But did you know that maintaining information security is not just sound business practice? It is actually your legal responsibility to eliminate the very conditions that may lead to loss of data.
The primary piece of legislation which most people will be familiar with is the Data Protection Act of 1998 (DPA). In force since 2000, it is based on European law and was created to protect individuals’ personal data in the UK. Specifically, it addresses the fact that personal data may only be used for the purpose it was collected and cannot be disclosed to other parties without consent from the individual.
What it means for organisations:
The Act’s seventh data protection principle states that you must have appropriate security to prevent personal data from being accidentally or deliberately compromised. In particular, organisations are required to:
- Design and organise security to fit the nature of the personal data held and the harm that may result from a security breach.
- Be clear about who is responsible for ensuring information security.
- Make certain the right physical and technical security is in place, backed up by robust policies, procedures and reliable, well-trained staff.
- Be ready to respond to any breach of security swiftly and effectively.
Full details on the DPA and steps you can take to ensure compliance are available from the Information Commissioner’s Office (ICO) website ico.org.uk.
You are probably aware of the negative consequences of information security breaches such as financial loss due to customer attrition, damaged reputation and even costly fines, but the ripples go much further. From April 2010 the ICO was given new powers, meaning that organisations that lose individuals’ personal data can face fines of up to £500,000. Previously, the ICO could only fine firms up to £5,000 for serious breaches of the Data Protection Act, so this represents a significant extension to its powers.
To date, over £6 million in financial penalties have been issued to organisations found in breach of the DPA by the ICO, which should place information security firmly at the top of every organisation’s agenda.
What can You do?:
The old saying “A stitch in time saves nine” is never truer than now. In spite of a constantly changing regulatory and legal landscape, one thing will remain constant: preventing a breach is much easier and less costly than dealing with the potential repercussions. Here are some suggested steps to help you comply:
- List all information security risks specific to your organisation, targeting both paper-based and electronic information sources. Consider every stage of the information cycle; from data generation and storage, to the transfer of data from location to location, and the document destruction process.
- Train your employees in best practices and have a clearly documented and well-understood process for secure document management and destruction.
- If the volumes of confidential information your organisation produces are too large to manage in-house, consider outsourcing document and data destruction to professional providers who ensure the total security of the destruction process.
Ben Johnson Ltd have teamed up with Shred-It to offer cost-effective shredding services. If you would like to find out more, or want to book a free audit then contact your account manager today on 01904 698 698