6 Questions your Business Should Consider to Determine any Data Security Risks
This blog explains some of the Data Protection Act legal & compliance risks that regulated sector businesses have when processing their client’s confidential data.
Between 2011 and 2013 there was a 145% increase in penalty notices issued by the UK regulator [ICO]. A PricewaterhouseCoopers study found 60% of small businesses have had an information security breach in 2014 [PWC].
Many businesses are moving their data systems to cloud solutions and rely on the data security infrastructure offered by the cloud provider, however recent high profile information breaches from large organisations such as Amazon and Google have made businesses rethink using cloud. Larger companies can afford a more secure, sophisticated, protected cloud platform, but smaller companies will consider cost over security or compliance which makes them a target for determined hackers.
At JMS Secure Data we would suggest in addition to having an IT support company you consult Data Protection experts who can review and advice on your firms data infrastructure to reduce the chance of a data breach, and more importantly, reducing their financial and legal liability should an attack occur.
Here Are Some Questions Your Business Should Consider to Determine Your Data Risk
1. Do I have obligations as a Data Controller under the data protection act?
Yes, as data controllers you have responsibilities under the data protection act when processing your client’s personal data. The ICO expects you to meet all 8 principles of the DPA irrespective of the size of your company.
2. Can I outsource my responsibilities as a data controller to a third party?
You cannot pass all of your responsibility to a third party if you use personal data as a data controller. As a data controller, you will generally have discretion in which 3rd parties you choose to assist on how you process your client’s records, however the responsibility will remain the data controllers and any data breaches will be the liability of the controller if he or she is classed as a data controller under the Data Protection Act.
3. Will I have liabilities if data stored on the cloud is breached or misused?
As data controllers the responsibilities of how your data is managed is solely your responsibility. Therefore the data controller that needs to ensure due diligence is applied when choosing a cloud platform to backup or store your data. The key considerations are; 1) Encryption security, 2) Location of the data centre servers. It cannot be assumed that by transferring your data to a 3rd party cloud provider takes away your responsibility of the security of where and how the data lies within the cloud.
4. What are the chances of enforcement if a breach does occur?
The ICO to become more proactive in pursuing action against smaller companies going forward even when no complaint has been raised. A tougher regulatory environment is presently being implemented for 2015/2016. So far the ICO has levied fines for data breaches and we expect this activity to increase with the changes under the new regulation. A major factor towards your risks depends on whether any of your activities is likely to trigger a complaint.
5. Will using Encryption technologies provide adequate protection?
The term Encryption is widely misused. In order to maintain compliance with the data protection act, the Encryption needs to be a relevant benchmark such as FIPS 140-2 certified compliant. The data generally needs to be stored in an EU data centre and you (as the data controller) need to maintain control of the Encryption key.
6. What proactive steps can I take to protect my data?
Undertaking a data protection health check now could highlight present failings or weak spots which would cause significant problems or breaches under DPA when the regulations come into effect. The regulations, including the means and reasons for processing of data, must be implemented into an enterprise’s operation by design and by default. This involves appropriate technical and organisational measures.
Identifying how your data is treated in your business will put you in an advanced position to not only comply with the Regulation but protect your businesses confidential information…..
JMS Secure Data has over 15 years’ experience within IT data security development and operate in regulated sectors. We provide technical solutions to be compliant under the Data Protection Act ensuring your data is safeguarded and business is protected and compliant.
This blog does not constitute legal advice and if you have any concerns regarding data protection then please contact us.