The Data Protection Act came into force in 1998 and exists as the core piece of legislation that seeks to ensure that personal data is protected in the UK. Principle 7 of the act states what is required by those in possession of sensitive data in relation to security.
Principle 7 is comprehensive – but by no means all-inclusive (risk management will be bespoke after all) – and is well captured by the following demand: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
In short, it states that businesses have to make all efforts to ensure security is vigorously implemented, otherwise, along with loss of data, breach of network security, loss of reputation and financial damage, they can get a hefty fine. £50,000 is significant and detrimental to small to medium-sized businesses (SMBs).
Conscious of this and the changing shape of the business landscape – the permeation of the internet into all facets of an organisation’s operations – the Information Commissioner’s Office (ICO), which oversees the Data Protection Act, has released a new guide to help SMBs out.
Entitled A Practical Guide to Information Security: Ideal for the Small Business, the ICO’s document is not bad at all. It’s not massively detailed – 12 pages – but that’s the point. It serves as an introduction, putting forward recommendations that are relatively easy to implement and not too costly.
The language is clean, perhaps directed at those who lack any discernable strategy for information security & risk management. For example, the following passage outlines the first step businesses can take:
“Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that data. You should consider all processes involved as you collect, store, use and dispose of personal data. Consider how valuable, sensitive or confidential the information is and what damage or distress could be caused to individuals if there was a security breach.”
While that may sound obvious, break it down and it’s informative. Like for example the line about the processes that are involved in collecting, storing and using data. Is this done automatically without any clear-cut policy or is it more regimented and authoritative? Knowing this can be exceptionally beneficial to SMBs.
Another great recommendation, which to most security consultants is standard practice, is using a layered approach to network security, something non-savvy SMBs might not consider, thinking that a single approach is enough.
But, as the ICO notes, there is no single approach that can ensure 100 per cent security. A combination of tools and techniques makes sense because if one “layer” crumbles, there’s another barrier in place to prevent an attack being successful.
Throughout the document, points like this are aired, and it is extremely refreshing to come across something that simplifies, explains and articulates the importance of information security in today’s age of information. Well done ICO.