Whether you’re bound by the demands of the FCA, the guidance of the Care Quality Commission or the general provisions set out in the GDPR, it’s likely your business falls under the scope of regulatory compliance. Failure to meet compliance obligations can carry sever penalties, ranging from reputational destruction to financial penalties and legal action, meaning its vital to have a comprehensive set of checks and balances in place to ensure you meet your obligations.
In respect of your IT systems, the security principle of the GDPR sets out a succinct and valuable piece of guidance, stating that personal data should be:
‘…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures…’
So often, IT companies focus on the ‘technical measures,’ needed by their clients, which makes sense as cyber security falls within the remit of a committed and proactive IT partner. ‘Organisational measures’ however often go overlooked, despite being vital components in a business’s data protection architecture.
‘Organisational measures’ refer to the human-level controls, procedures, standards and practices organisations can institute in order to safeguard personal, or business-critical information. They often provide the framework upon which specific technical controls rest, and are vital to ensuring all staff are reading from the same hymn sheet when it comes to data security. Some of the key organisational measures all businesses should consider include:
The establishment of a Business Continuity Plan
The main objective of a business continuity plan is ensuring your organisation can swiftly and effectively recover from a disruptive event such as a cyber attack or natural disaster. A vital component of this objective is having measures in place to backup personal and business-critical data. A detailed BCP should include information about the backups in place, and the role of your team in coordinating the disaster response in a way that maintains the integrity of data as much as possible and minimises further disruption.
Developing Information Security policies, procedures and behavioural guides
It’s useful to set out data handling best practice in the form of written policy/procedural documents that your team can easily refer to. A written BYOD (bring your own device) policy should be used to set out the parameters for secure use of personal devices, a “clean desk” policy could be implemented to prevent the loss of paper copies of information and a business continuity plan should include provisions which safeguard data using damage mitigation measures. Information security policies should be established covering areas like: password management, acceptable use, remote access and the use of portable media.
Security training
User-initiated actions remain a leading cause of data breaches, so it’s vital your team understand where security vulnerabilities lie, and what responsibilities they have in ensuring data is processed in a compliant manner. Training should include the likes of phishing awareness, good password practice, remote device security and web safety.
Regular audits
Plans, procedures and policies should be tested using regular audits and stress-tests. Simulated attacks can be used to test the efficacy of business continuity measures, staff security awareness can be measured using quizzes and remote devices should be regularly examined to ensure compliance with BYOD policies.
Due diligence checks
As a data controller, ultimate responsibility for the security and integrity of any data you’re entrusted with lies with you. This means performing due diligence checks against any third-party data processors is vital to ensure they have the necessary technical and organisational measures to safeguard your data.
Frequent risk assessments
In addition to being a regulatory requirement in various sectors, risk assessments are a great way to identify the risks posed to data and apply the appropriate technical and organisational measures in response. The national cyber security centre recommends that risk assessments are carried out at individual component level (considering risks inherent in individual software/hardware components) and at system level (examining data-handling mechanisms as a whole for vulnerabilities).
Establishing sound data protection policies is a core tenet of GDPR compliance and is useful in ensuring compliance with more industry-specific regulations. In our next article we’ll look at the technical devices and controls all data handling businesses should implement to meet data security obligations.
Commercially-savvy I.T, the Everon way
Here at Everon our multi-sector experience makes us uniquely aware of the varying commercial pressures organisations face. The current economic climate has amplified these pressures, making it more vital than ever that your business’s technology aids your commercial goals and doesn’t constitute a financial burden.
Get in touch to learn more, and we can set your business on the path to higher profit margins and financial resilience, through the strategic deployment of technology.