In part one of this blog series, I explained that firms need to take a holistic three stage approach to ensure data is kept secure, and therefore comply with data protection regulation and avoid fines.
In this blog, I explore how companies can put these three stages - education, policy and technology - into practice:
Implement a policy
Businesses need to have a clear data and device policy communicated to their staff and actioned. Within this, there must also be clarity on how data is classified and distinct data classification protocols. These shouldn't be written in overly legal or technical
language, but rather in a tone that all employees will understand. That way, both the company and employees are kept fully aware on what they’re allowed to do with their devices. Having a good policy in place ensures it is clear when employees have breached
Train and educate employees
The human factor is often the weakest link in a company’s data security which is why it’s so important that employees are sufficiently trained and educated to avoid security slip ups. It’s vital to be able to demonstrate to your employees the impact that
poor data security practices can have on the whole company, so that they understand why their support is necessary. However, it’s not as simple as pinning a piece of paper with a list of rules to the office wall or downloading a training package from the internet.
Data security best practices need to be engaging, relevant and tailored to the jobs people are doing.
Utilise a technology solution
Despite setting out a cohesive device policy and thoroughly educating staff, there is still a vital third element. Employees will break the rules, both accidentally and purposefully. This is why it’s so important to have an underlying technology software
solution which can protect the business in the event of a data breach. Businesses need to be able to persistently track, manage and secure all devices used at work, as well as the data stored on them. Most importantly the technology used will also allow a
company to prove that compliance processes are being properly enforced and adhered to.
With the rise in data consumption driving increased regulation, organisations must put policy, education and technology in place to avoid the increasingly real issue of data loss. However, should a company not have these constituents in effect, it should
still alert the ICO. Punishment can spiral if evidence of withholding details of a breach is uncovered. Also, the ICO has discretion in every case and can provide assistance by agreeing next steps which may bury a breach and leave the business’s reputation
(and bank balance) intact.
Putting GRC on the agenda
With the threats of fines, damage to reputation and possible criminal prosecution, CIOs can’t take their data security for granted and GRC has to become a boardroom issue. This will become even more urgent when the new EU Data Regulation comes into force
in 2017. The core principle of this legislation is that personal data should not be processed by businesses except where certain compliance conditions are met. This may sound like a mountain to climb if you’re starting from scratch. But if businesses start
preparing now, the new laws will be less of a challenge when they come into fruition.
A policy has to be clear and accessible; the BYOD training given to employees must be relevant to them and the organisation, and there must be proper data protection software in place. Business mobility can have countless business benefits, but it must be
managed properly to counter risk and comply with regulation. And if a breach should occur, the employer may be able to escape sanctions if it can prove that it did everything it could – policy, training, and technology – to prevent the breach.
With such a complex compliance environment, it’s now essential to take this three-pronged approach to make sure all bases are covered and that organisations have the upper hand.