As data protection becomes more and more serious for companies and consumers here we outline some of the resources available to help navigate the topic.
It is fair to say that there has been a lot of focus in the past 12 months on the new European GDPR and Jersey’s Data Protection legislation which significantly enhanced the rights of individuals and made organisations more responsible for how they manage personal data.
As consumers we all know why data protection is important. We are all part of an online, data driven world where almost every transaction and communication results in the sharing of personal information. As individual’s we want to know that organisations, including governments, are having to examine how and why they collect our data, what they need and that they are using it appropriately.
The seriousness with which data is being taken has just been reinforced by Jersey’s Office of the Information Commissioner which recognised Data Protection Day, on 28th January. A series of events saw over 700 individuals and business owners and leaders being reminded about their rights and responsibilities.
For business, these responsibilities go past deciding what data management plan to put in place as it becomes increasingly important for organisations to consider their physical and cyber security as an integrated element of their data protection activity.
Of course, having the right IT security policies goes a long way to stopping incoming attacks on systems and data, but to be robustly safe, businesses need to create a culture of effective data management. If every individual in an organisation really understands and buys in to the importance of data to the organisation, the type of data they are handling, how to collect it, use it and protect it then every employee becomes part of a joined-up security system.
All this can sound like a mammoth task and yet another activity that adds cost and management time to running a business but it needn’t be that way. On top of the technical IT solutions there are some simple things that can make a big difference.
Training staff regularly to help them identify incoming phishing attacks is a great place to start. Recognising the look and feel of spoof emails; enabling staff to double check messages, internal or external, that ask for an unusual payment to be made; having a process that double checks the details of new or changing supplier bank account details are all simple policies that empower employees to be your front line of defence. Add an extra layer of security by implementing confidentiality policies and simple practices such as a clear desk policy which should ensure that sensitive data is physically locked away.
Of course all this takes time and effort and it can be hard to carve a space in the day to get appropriate measures in place especially when you might not be a data or IT expert. Although you cannot outsource your responsibilities, you can get specific, focused and specialist IT, data protection and cyber security support to help you. If this is the route you take it is important to work with someone who you can trust, who can adapt their support to the size of your business, the type of data you hold and the systems you have in place. Ask them about their own data protection regime and see if how they work in their own business resonates with you.
Finally you should consider if it would be beneficial for you to seek formal recognition through an accreditation, which might be useful if you have customers who want reassurance about the policies and processes you have in place to protect your systems and data. For small businesses a scheme such as Cyber Essentials is a good starting point and is being widely adopted in the UK and more recently in Jersey.
If you need to discuss your concerns or options you will find more information and links on the ‘Systems, data & cyber security’ pages on our website along with events that we run on these topics. You can, of course, email us or come in and talk to one of our advisors.
Whatever you do, please don’t do nothing! 69 enforcement actions, including 37 monetary penalties, were issued by the UK’s ICO in 2018 so expectations of both the regulators and individuals are rising. As a business leader the importance of data protection in its broadest sense should be working its way towards the top of your risk register and to do list.