In summary: –
There is a consequent need for organisations of all shapes, sizes and descriptions to do more to secure and maintain public confidence, by ensuring that the personal data they process are well-protected.
The challenge is finding solutions that are as efficient as they are effective. The following simple 3-point guide will go a long way toward helping you to mitigate the data protection risks that your organisations faces.
Firstly, you need to identify all reasonably foreseeable, actual and potential risks which threaten any personal data your organisation processes.
There are a number of ways that you can effectively achieve this – below are some of the methods that have proven to be both effective and efficient.
Use a simple spread sheet or database to keep a record of all of your information assets.
Information assets constitute data that are for whatever reason (eg they are used to generate revenue, or you are required to keep them by law) important to your organisation, and encompass any underlying infrastructure. Information assets may include; databases; paper records; applications; servers, external hard drives; USB memory sticks; websites etc.
This will help you to understand the risks that are posed to any data you hold, whilst at rest.
Point to note: For data protection purposes it is only necessary to keep a record of information assets which contain personal data.
You should, as a minimum, capture the following:
You need to have a clear understanding of all the personal data that the flows of into, within, and out of your organisation. This will help you to establish the risks that are posed to your data, whilst in transit.
To achieve this, get the people in your organisation with responsibilities for processing personal data to form a list and/or diagram that clearly sets out the types of personal data that flow into your organisation, how it moves around your organisation, and the routes through which it leaves your organisation.
You should, as a minimum, capture:
Points to note:
* When your organisation sends personal data (whether internally or externally), you need to keep a record of what the lawful basis for sending the data is.
** If you are the data controller then you must ensure that you impose on any third party that processes data on your behalf, terms in contract which are equivalent to or greater than those imposed on you by the law of the land.
*** It is recommended best practice to ensure that any significant or routine sharing of personal data is underpinned by a robust Information Sharing Agreement.
**** You must ensure that there are adequate organisational and technological controls in place to protect the specific personal data that you process. Therefore, the more sensitive and confidential the data you process, the more you will have to do to ensure that there are robust security controls in place.
Gather key stakeholders around the table or virtual environment to conduct a thorough brainstorming exercise/(s).
Get them to think about all of the things that could possibly place your information assets at risk, and the level of risk that those things may pose.
Capture your learning in your information asset register, data flow map and overarching risk register.
Here are some pointers to help get your brain storming:
Now that you know the actual and potential risks that are posed to the personal data you process, you need to implement controls to mitigate the risks.
This can be easier said than done, depending upon the risks you face (as well as the resources you have). There are however, always pragmatic things you can do to mitigate risks in proportion to the threat they pose to your organisation.
Here are some basic examples:
Now that you have implemented pragmatic mitigating controls in proportion to the risk they pose, it is necessary to measure the effectiveness of the controls.
You can achieve this by conducting routine data protection audits and monitoring the processing of personal data.
You can also use simple staff spot checks to learn whether staff both understand, and are complying with their data protection responsibilities.
Where gaps are identified, you should record any new risks, and ensure that you alter or change the controls you have implemented to suit.
Need expert advice?
Should you require any assistance with identifying and/or effectively mitigating the specific data protection risks that your organisations face, clear expert advice and affordable support is at hand.
Call IG Smart now on 020 3…….