19th June 2018
As the owner of a new or growing company, you will be doing everything you can to support your business and data protection should play a key role. On 25 May 2018, the General Data Protection Regulation (GDPR) was implemented, replacing the current Data Protection Act 1998. Its changes are wide-ranging, including a significant increase in the obligations of companies to protect the data in their systems.
Aside from the legal implications, there are numerous reasons why you should focus on and invest in robust data protection to safeguard your business. Primarily, it makes good business sense. Data breaches could jeopardise the privacy rights of your customers, prospects, supply chain partners and employees, as well as causing significant reputational damage to your business. As a small- to medium-sized business, here are five key data protection principles to help you keep your data safe.
With the increase of flexible working and mobile devices, it’s now common practice (especially among smaller businesses) for employees to access their company’s network and emails from their own devices. ‘Bring your own device’ (BYOD) offers excellent cost saving and flexible working opportunities through integrating personal devices into business networks, but it can also pose a threat if these devices aren’t sufficiently covered by your company’s security system. To counter this threat, make sure all employee devices are monitored and policed, which could mean restricting use to certain devices or applications (this also applies to laptops and flash drives). Furthermore, make sure anyone planning to use a personal device for company work has it secured by your IT technicians first.
Virus and phishing protection
Effective data safeguarding means having up-to-date virus protection to guard against attacks. Ransomware, in particular, poses a significant threat to businesses; it involves malicious software that targets your system, holding it captive until you pay a sum of money to have it released. This can happen simply by opening a malicious file or clicking on an infected link; before you know it your system is locked down. The best way to avoid this is by having effective firewalls and virus checkers in place that are updated and upgraded regularly. Having a backup server also means you can get back to work quickly without having to pay a ransom.
Phishing and spear-phishing are also considerable threats. While the former employs a scattergun approach and the latter is more targeted, both involve criminals posing as banks, building societies or utilities companies asking for your security information or bank details. Never give out your security information to someone who has contacted you. It’s important that you remind your employees of this regularly too. If ever you’re in doubt of the authenticity of someone’s identity, contact the company and verify the request. Similarly, make sure your clients are aware of the process you would use if you need to verify their security information or bank details, so that they are not duped by fraudsters pretending to be from your company.
Best practice policies
As a small or growing business, it’s important to have best practice policies in place when it comes to data protection in order to embed proper safeguarding protocols. These should cover both hardware misuse and privilege misuse.
Hardware misuse can occur when employees leave their devices unattended – for example if someone leaves their workstation but forgets to lock their computer or mobile. This creates an opportunity for others to catch sight of or access confidential information.
Similarly, privilege misuse can occur when someone has access to an account profile or files that they shouldn’t. This can happen by sharing workstations or account logins, or it can happen if you don’t ringfence confidential files with security features. Unless there’s a good reason, not everyone should have access to all information within your business’ network. In particular, HR files and customer information should be password protected with access restricted to authorised employees only.
Visitors and ex-employees
Ex-employees can become the source of high-profile data leaks, as they can sometimes feel entitled to take information with them to a new job. It’s not unheard of for former employees to offer contact databases, customer lists or trade secrets to new employees – or to use this information to start up a rival business. To protect your proprietary information, clearly stipulate the rules regarding data or intellectual property in employment contracts, and make it clear there could be legal action as a result of any intentional breaches. Additionally, if an employee has given notice, you should consider restricting their access to certain information. You can also monitor user profiles to check whether large amounts of data have recently been downloaded.
It’s also important to protect confidential data from any visitors to your site. Your best practice policies should state that workstations should be locked when not in use, confidential documents should be shredded and printouts should not be left lying around. In addition, it’s wise to ensure visitors are shown to private waiting areas and meeting rooms, and do not walk through the work spaces of your office.
The importance of a data protection plan
As an entrepreneurial business, possibly in the start-up phase, each day is undoubtedly taken up by the different tasks involved in growing a business. However, it’s important to allocate time to develop a data protection plan and ensure you are compliant with the new GDPR law when it comes into effect. Companies sometimes fall into the trap of not thinking about data protection until it’s too late, but small companies are just as vulnerable as larger ones. A founding principle of GDPR is “privacy by design and by default” which means building the security of personal data into the heart of your company. As start-ups are more dynamic in nature, they have an advantage over their larger counterparts when it comes to complying with new requirements. Make sure you capitalise on this by implementing a thorough data protection plan as part of your risk management process. Furthermore, if data is breached, you should minimise the impact and swiftly follow the processes you have in place – for the security of your company, your customers, employees and partners.