Data protection should be a vital priority for small businesses – and yet it is frequently overlooked.
The last few months have seen a number of high profile data protection problems suffered by well-known companies. From unauthorised access to data loss, businesses of every size have suffered as a result of lax data protection processes.
Following a revamp of the powers available to the Information Commissioner’s Office, the maximum fine for firms in breach of the Data Protection Act is now £500,000. Yet according to research from Shred-it, almost a third of firms have never trained their staff in data protection.
As an entrepreneur you need to think carefully about protecting your data – both in order to comply with the Act, and in order to keep your business safe.
How can I protect data?
The Data Protection Act places a range of responsibilities on small businesses. Of these, ensuring that personal data is secure is amongst the most important.
There is a range of measures you might need to consider in order to secure the data your business holds. The steps you take will depend on the nature of your business, and the way in which you handle that data.
Encryption is one of the most important considerations for any business. By encrypting your data you can help to ensure it is only available to those with the right to access it. If you conduct transactions through your website it is absolutely vital that they are properly encrypted. Most ecommerce solutions will provide you with some degree of encryption out of the box, but it is worth noting that anything less than 128 bit encryption is now generally deemed too weak. Your emails should be encrypted, and you should also consider encrypting your hard drives. Again, there are out of the box products that will help you achieve this – but you should understand that you may need to take professional advice in order to ensure that you choose the right solution.
But encryption isn’t the only way in which you can protect your data. You should also think about more prosaic means by which you can keep information safe. Limiting access is amongst the most important of these.
You should operate a needs-based policy for data. Access should be restricted to those individuals that actually need it. For example, there is unlikely to be any reason why someone in your marketing department needs to see the payroll records. Regularly review your access arrangements, and make sure that you remove access privileges for individuals who leave the company.
Physical security is also important. At the very least you need to make sure that your premises are secure. This means that doors and windows need to lock properly, alarm systems need to be installed, and so on. You should pay particular attention to the area in which your servers are stored. If they are on site, make sure that they are in a locked room to which access is restricted. Alternatively, if your are outsourcing your server provision, make sure that your chosen provider has sufficiently robust security arrangements in place.
What else does the Data Protection Act mean for my business?
It is important to understand that data security is not the only stipulation made by the Data Protection Act. The Act may place a series of important responsibilities on your firm. Read more about the Data Protection Act for small businesses.