Data protection is something no business should take lightly. As we keep seeing in the news, large-scale breaches happen, even at the biggest companies. And the fallout for failing in this regard can be severe, in terms of lost business, damage to a firm's reputation and legal consequences from both unhappy customers and regulatory bodies.
One of the biggest drivers for many firms right now when it comes to improving data protection policies will be the EU's forthcoming GDPR, which aims to set out much clearer rules about what is expected of businesses when it comes to handling individuals' personal data - including information concerning both customers and employees.
Even though this regulation comes from the EU, it's set to have a global impact, as any company that holds information related to an EU citizen will have to abide by the rules - so any enterprise that does business in Europe will be affected. This sets the maximum penalties for serious data protection failings at €20 million or four per cent of a firm's global turnover - whichever is higher - and this could have a huge impact on any firm that suffers a breach.
For example, last year, UK telecoms firm TalkTalk received a fine from its local regulator, the Information Commissioner's Office, of £400,000 following a breach that saw hackers gain access to customer data. This was one of the biggest corporate data protection fines recorded in the UK, but one analysis suggests that had the GDPR rules been in effect at the time, the penalty for this failing would have been £59 million.
Therefore, having a clear data protection policy in place to guard against breaches is a must. But what do you need to bear in mind to ensure this is implemented successfully? Here are a few of the key questions you'll need to answer.
What is it and why do you need it?
The first question many business managers may ask of their IT department is why they need a formal policy at all. It's not a legal requirement under the DPA, but there are several reasons why having this documentation is so important.
In addition to outlining key security practices, a good data protection policy will detail how a business should respond to an incident, including how to contact and answer queries from staff and customers and steps for mitigating negative media coverage. It can also limit your legal liability by demonstrating you have taken reasonable steps to avoid a breach.
When do you need to refer to your policies?
There are several key occasions when your business will have to refer to its data protection policy. These include:
- Informing staff and customers about your use of their personal data.
- Educating employees about their responsibilities when handling data.
- To ensure compliance with legal requirements.
What types of data need to be covered?
The policy must spell out exactly what types of personal data will be collected and how it will be handled. To ensure compliance, data collection and retention needs to be kept to a minimum - but even so, most businesses are likely to have a large amount of personal data that is subject to regulation. These include, but are not limited to:
- Personally identifiable information (eg. names, addresses and phone numbers of staff and customers)
- Sensitive personal data (eg. information on a person's political and religious beliefs, ethnic origin, health issues, criminal records etc.)
- Biographical/action data (eg. Activity logs, performance records, purchasing history etc.)
Data protection policies must identify exactly what types of information a business possesses
Who needs to take responsibility for data?
Another impact of the incoming GDPR that will impact policies is the requirement to designate a data protection officer (DPO). Such an appointment is mandatory for public authorities, as well as businesses where core activities of the data controller or processor involve "regular and systematic monitoring of data subjects on a large scale".
These individuals will be responsible for overseeing an organization's entire data protection strategy, including educating staff, conducting audits to ensure compliance, and being the point of contact between a company and regulators. All this needs to be detailed within the policy.
How will data be used within the business?
When it comes to communicating with customers, one of the key questions that a policy will need to answer is exactly how their personal data will be used. Regulations have clear limits on the extent to which businesses can handle data; data must be used fairly and be obtained only for specific purposes, which must be spelled out in the policy. The data must also be accurate, relevant and deleted when it is no longer necessary.
This section of a data protection policy must also detail what rights users have to access their own data, as well as procedures that should be followed when such a request is made.
What to do in the event of a breach
Though a well-crafted data protection policy should go a long way toward reducing a firm's risk of a breach, it may be the case that even the best-laid plans can't account for every circumstance, so the section detailing what steps must be taken in the event of a breach will be critical.
Once GDPR comes into force, notifying the relevant parties will become much more important. In the past, many companies have come in for criticism for lengthy delays between discovering a breach and reporting it to customers and regulators. But under GDPR, this isn't just poor practice - data controllers will be required to report breaches within 72 hours of discovery. Procedures for this must, therefore, be a part of any data protection policy, specifying when a breach must be reported and how to go about this.
Keeping your policy accessible and up-to-date
A data protection policy will be of no use to anyone if it is simply completed to check boxes and then left in a drawer, never to be seen again. The document needs to be understandable and easily available for staff to refer to when they need advice, as well as being part of your onboarding program.
It must also be reviewed regularly to take into account any changes either in the regulatory landscape or how the company does business. Any time an organization adjusts its processes related to how it uses data, the protection policy will need to be reviewed and updated.