Keep Personal Data Secure and Protect Your Business
There is no one size fits all solution as to how to protect personal data from unauthorised access, loss, or destruction. However, there are some general steps you should definitely take to minimise the risk of information insecurity.The seventh data protection principle talks about security of personal data. The principle requires that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
A data controller is the person who determines the purposes for which and the manner in which any personal data is processed. For small and medium sizes online shops it will usually be the retailer who is the data controller, thus you are the responsible person who decides how personal data is collected, processed and handled in general.
Be aware about the person in your organisation who is responsible for ensuring information security. Where you do not have designated staff for this you will be the responsible person. Without any accountability security issues will be overlooked or are likely to be outdated.
When setting up your data protection policy and processes, first analyse what kind of personal data you are processing and think about possible security threats. For example: If you are also storing the customer’s credit card details along with his name, this data needs more protection than only a customer's name. Theft of credit card data not only causes distress to your customer but could also cause financial loss. Thus, possibe risk are high and consequences severe. Credit card data must therefore be transmitted and stored encrypted.
When talking about information security it is not only about the way you store or transmit information- it is about every aspect of procession personal data. That means that only authorised people may access the data. Only they may alter, disclose or destroy the data. Make sure that your staff is trained and knows which data may be accessed and how and when to disclose it. Inform everyone about the security processes in your shop and ensure your staff is aware of the steps to take in case of any security issues.
Make sure you protect your systems sufficiently. This requires physical security like locked doors, control of paper waste disposal and proper storage of portable equipment. It also demands computer security. Where you or your staff work from home or public places it must be ensured that access to the device as well as to the data stored on it is password secured and where necessary encrypted. When selecting passwords be mindful that you don’t choose simple word passwords, but make a combination of capital and low case letter, figures and special characters. Don’t let your staff share any passwords. Even if the law does not oblige you to use the latest technologies you should ensure to update your computer software regularly. Make sure you install firewalls and virus checking programs on your computer. Take regular back-ups of your data but also make sure that you do not store any data longer than needed on any device. When disposing old devices, make sure all data is permanently deleted beforehand. Similarly, ensure that you shred paper waste rather than just throwing it in the dust bin.
What you should do in case of a security breach
Do anything possible to limit the damage and recover any lost data
Notify the data subject and the ICO
Find out the cause of the breach and remedy it
If you have taken the appropriate security measure and still you becoem the victim of a data hack, be open about it to your customers. Inform them as quickly as possible, so that customers have a chance to block their credit card and inform their provider about the theft so that they can get the money back.If you show your customer that you take the incident seriously and prepared yourself beforehand, they wil appreaciate your service and won't punish you with bad reviews.