Organisations face unprecedented levels of data protection risks.
In summary: –
- Increased cybersecurity threats, place the data of citizen’s, corporations, charities and countries at risk.
- Citizen’s and consumers alike, are becoming more aware of data protection risks, and are consequently more cautious about the way that they allow others to use their data.
- Regulators are clamping down hard on those that breach data protection laws (the new EU General Data Protection Regulation gives supervisory authorities the power to levy fines of up to 5% of annual global turnover).
There is a consequent need for organisations of all shapes, sizes and descriptions to do more to secure and maintain public confidence, by ensuring that the personal data they process are well-protected.
The challenge is finding solutions that are as efficient as they are effective. The following simple 3-point guide will go a long way toward helping you to mitigate the data protection risks that your organisations faces.
- Know your risks
Firstly, you need to identify all reasonably foreseeable, actual and potential risks which threaten any personal data your organisation processes.
There are a number of ways that you can effectively achieve this – below are some of the methods that have proven to be both effective and efficient.
- Identify your information assets
Use a simple spread sheet or database to keep a record of all of your information assets.
Information assets constitute data that are for whatever reason (eg they are used to generate revenue, or you are required to keep them by law) important to your organisation, and encompass any underlying infrastructure. Information assets may include; databases; paper records; applications; servers, external hard drives; USB memory sticks; websites etc.
This will help you to understand the risks that are posed to any data you hold, whilst at rest.
Point to note: For data protection purposes it is only necessary to keep a record of information assets which contain personal data.
You should, as a minimum, capture the following:
- Classification (eg confidential, commercially sensitive, top secret)
- Volume
- Format
- Location
- Asset owner
- Relevant security controls
- Relevant disaster recovery and business continuity controls
- Map your data flows
You need to have a clear understanding of all the personal data that the flows of into, within, and out of your organisation. This will help you to establish the risks that are posed to your data, whilst in transit.
To achieve this, get the people in your organisation with responsibilities for processing personal data to form a list and/or diagram that clearly sets out the types of personal data that flow into your organisation, how it moves around your organisation, and the routes through which it leaves your organisation.
You should, as a minimum, capture:
- Lawful basis*
- Contract**
- Information Sharing Agreement***
- Classification
- Volume
- Sensitivity
- Frequency
- Format
- Individual and/or department that sends/receives the data
- Security controls that are in place to protect the data whilst in transit****
Points to note:
* When your organisation sends personal data (whether internally or externally), you need to keep a record of what the lawful basis for sending the data is.
** If you are the data controller then you must ensure that you impose on any third party that processes data on your behalf, terms in contract which are equivalent to or greater than those imposed on you by the law of the land.
*** It is recommended best practice to ensure that any significant or routine sharing of personal data is underpinned by a robust Information Sharing Agreement.
**** You must ensure that there are adequate organisational and technological controls in place to protect the specific personal data that you process. Therefore, the more sensitive and confidential the data you process, the more you will have to do to ensure that there are robust security controls in place.
- Brainstorm
Gather key stakeholders around the table or virtual environment to conduct a thorough brainstorming exercise/(s).
Get them to think about all of the things that could possibly place your information assets at risk, and the level of risk that those things may pose.
Capture your learning in your information asset register, data flow map and overarching risk register.
Here are some pointers to help get your brain storming:
- What impact would a breach of the confidentiality of a high-profile client have on your organisation?
- What impact would a massive data leak have on your organisation?
- What impact would a flood or fire have on your information assets?
- What impact would a D-DOS attack have on your organisation?
- What vulnerabilities are there in terms of the security of your network?
- Can more be done to protect the security of data at rest or in transit?
- Are there enough facilities to enable staff and clients to discuss confidential matters in private?
- What risk does social-engineering pose to any of your confidential or commercially sensitive data?
- Implement proportionate & pragmatic controls
Now that you know the actual and potential risks that are posed to the personal data you process, you need to implement controls to mitigate the risks.
This can be easier said than done, depending upon the risks you face (as well as the resources you have). There are however, always pragmatic things you can do to mitigate risks in proportion to the threat they pose to your organisation.
Here are some basic examples:
- Ensure that your staff (including contractors, agency and volunteers) are given the confidence to discharge their data protection responsibilities, through robust training and clear guidance.
- Ensure that all contracts with employees and third parties that process data on your behalf meet current internationally recognised best practice.
- Ensure that personal data are encrypted at rest and in transit (the standard to which your data will need to be encrypted will depend upon its classification).
- Ensure that penetration tests (tests which assess security vulnerabilities) are routinely conducted.
- Obtain and maintain internationally recognized security accreditations (eg IS0 27001).
- Audit & Monitor
Now that you have implemented pragmatic mitigating controls in proportion to the risk they pose, it is necessary to measure the effectiveness of the controls.
You can achieve this by conducting routine data protection audits and monitoring the processing of personal data.
You can also use simple staff spot checks to learn whether staff both understand, and are complying with their data protection responsibilities.
Where gaps are identified, you should record any new risks, and ensure that you alter or change the controls you have implemented to suit.
Need expert advice?
Should you require any assistance with identifying and/or effectively mitigating the specific data protection risks that your organisations face, clear expert advice and affordable support is at hand.
Call IG Smart now on 020 3…….
Leave a Reply