Hacked Off … A genuine need to safeguard data
We’re all reasonably familiar with data protection, or at least the concept of it. As business owners, we handle a huge amount of data, much of it via the internet, whether it’s via a website, completing an online purchase or just corresponding using e-mail! This presents risks; often termed cyber risks, in relation to the interception and misuse of that data; attacks from criminals who stand to benefit financially from selling on this information are, sadly, a reality.
From a business perspective, aside from the risk of a complaint or negative experiences being shared via social media, breach of data protection (particularly where this involves an individual’s personal data), can have wider consequences. Businesses need to be alive to their obligations and these risks.
Handling personal data, which includes name and address details (but may involve more sensitive data such as health records, for example), requires registration as a ‘data controller’ with the Information Commissioners’ office; our own registration at Solicitors Title states that we use client’s information for advising our clients and maintaining our own accounts and records, as you might expect; but it does not go further than this; we do not sell our client’s data to third parties, for example; as a result, this ensures confidence in how their data is handled and the reasons why we ask for it.
Alongside registration, the Data Protection Act 1998 incorporates 8 principles, one of which is the need for data to be secure; a data controller must ‘take appropriate technical and organisational measures’ to protect personal data from being compromised, in other words being “cyber secure”. These measures are, of course, higher if particularly sensitive data is concerned. In addition, the extent of the measures that you adopt will depend on the size and nature of your business.
So what does this mean?
Essentially, the security should be appropriate to the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction; businesses are required to consider and adopt an appropriate level of security to prevent the personal data they hold being accidentally or deliberately compromised.
But that might still require some sophistication, to safeguard against hackers and those without the best of intentions.
Simple measures, such as use of strong passwords for networks and websites, whether a company’s own or other providers that they use as part of their own work, can easily be employed. The safety and security of mobile devices are now becoming more relevant, as adoption increases.
Another key question is: who, in your organisation, should have access to certain data? We regularly advise clients on NDAs (non-disclosure agreements) that can be quite specific about these issues, and for good reason.
The second principle under the act requires data to be processed only for limited purposes; in other words, only for the purpose(s) for which it was given. To put it simply, any personal information your store on computers or in paper files must only be accessible by people with permission to see it. Have you considered these issues recently?
A failure to manage data, computer and communication systems properly can risk breach of the Principles and other obligations, whether under contracts or in relation to confidentiality. A business, faced with problems, might be legally required to carry out detailed, costly and lengthy investigations, or to notify regulators, law enforcement agencies, business partners or people affected, impacting on performance and growth.
Businesses that get things right (by having clear policies that are effective and workable) are less likely to face difficulties. And if you come to sell your business, carefully thought-through cyber-security can maximise the value of your digital know-how, meaning potentially a competitive advantage. These days, consumer trust, data protection and security measures often go hand in hand.