Data protection should be a priority for small businesses – and yet it is frequently overlooked.
2014 saw a number of high profile data protection problems suffered by well-known companies (see infographic below). From unauthorised access to data loss, businesses of all sizes and types have suffered as a result of poor data protection processes.
Following an overhaul of the powers available to the Information Commissioner’s Office, the maximum fine for firms in breach of the Data Protection Act is now £500,000. Yet according to research from the Ponemon Insitute and IBM, almost a third of firms have never trained their staff in data protection.
As an entrepreneur you need to think carefully about protecting your data – both in order to comply with the Act, and in order to keep your business safe.
How to protect your data
The Data Protection Act places a number of duties on small businesses. Of these, ensuring that personal data is secure is amongst the most important.
There are a variety of measures you might need to consider in order to secure the data your business holds. The steps you take will depend on the nature of your business, and the way in which you handle that data.
Encryption is one of the most important considerations for any business – it can help to ensure it is only available to those with the right to access it. If you conduct transactions through your website it is absolutely vital that they are properly encrypted.
Most e-commerce solutions will provide you with some degree of encryption out of the box, but note that anything less than 128 bit encryption is now generally considered too weak. Your emails should be encrypted, and you should consider encrypting your hard drives. You may need to take professional advice in order to ensure that you choose the right solution.
Encryption isn’t the only way in which you can protect your data. You should also think about more straightforward means by which you can keep information safe. Limiting access is amongst the most important of these.
You should operate a needs-based policy for data. Access should be restricted to those individuals that actually need it. For example, there is unlikely to be any reason why someone in your sales department needs to see the payroll records. Regularly review your access arrangements, and make sure that you remove access privileges for individuals who leave the company.
Physical security is also important. At the very least you need to make sure that your premises are secure. This means that doors and windows need to lock properly, alarm systems need to be installed, and so on. You should pay particular attention to the area in which your servers are stored. If they are on site, make sure that they are in a locked room to which access is restricted. Alternatively, if you are outsourcing your server provision, make sure that your chosen provider has sufficiently robust security arrangements in place.Follow the links below to read more about the Data Protection Act and how it impacts small businesses here and download a quick check list from the Information Commissioner’s Office.
- Visit the ICO web site – data protection guidance for small businesses
- Download a quick ‘how to comply’ check list
Infographic from Databreachtoday.com