Comb your sector’s legal responsibilities towards data and identify those elements that place a data protection obligation on you.
In law you are required to exercise appropriate care of personal data. This means information that can reasonably identify an individual. Name, address, age, bank details and other personal history can be used together to uniquely identify an individual, which places upon you a special legal duty of care.
Financial data has a special sensitivity when it comes to personal data. Loss of it, or loss
of control of it, can be the basis of legal and criminal dispute.
Most security breaches are not completely external. They are usually part inside jobs such
as with knowledge or information leaking out to inform criminals. These risks are compounded if you have not controlled the exposure of other people’s data, especially personal data, and can result in criminal proceedings against senior staff and directors with responsibility to that data.
You may need to pay particular attention to the country in which the data is stored, particularly relevant if you’re using cloud storage (remember this includes services such as Google Docs and Microsoft’s SkyDrive) and are unaware of the ultimate geographic location of your data. This can have implications if another country’s authorities wants to see any of the information you hold. This might sound like far-fetched paranoia, but there are many instances of USA authorities requesting access to non-US data held on US-located servers, and it continues to attempt to gain access to information on servers outside the USA, particularly in Ireland. Several law suits drag on. Ensure you can’t be touched for the location of your data.
Some business supply other companies that require a security audit to be carried out by a third party. We can and do conduct these audits as part of our programme of Audit Services.
Formulate a set of policies relating to data use. We recommend you require all staff to read and sign a copy to confirm that they have understood how to implement them. These should
become part of their employment contract if possible. This can form part of the business case that it did apply due care and that it provided clear guidance to staff and the means to deploy those policies within the business.