Maksim Kabakou - Fotolia

Security Think Tank: Three steps to personal data security

How should businesses go about setting up and maintaining a comprehensive and accurate inventory of personal data?

Data security breaches pose serious threats to businesses, and the need to reduce the risks associated with exposing customer/employee data, losing intellectual property or violating compliance obligations has never been more pressing.

Keeping an accurate inventory of personal data is set to become one of the key priorities for UK organisations in 2016. Although this might sound simple enough, the reality is far from it. The following three points are areas I would suggest businesses carefully consider.

Assign an employee to look after data

Designate at least one person in your business to develop and manage your organisation’s personal data inventory and oversee compliance with regional legislation.

Make sure policies for handling personal data in electronic and/or manual form suit your organisation’s needs and ensure employees, members or customers are fully aware of internal personal data protection policies and processes.

Map out the personal data inventory in detail

Your organisation is responsible for the personal data in its care, so be clear about:

  • What data your organisation has collected.
  • How and where were the points of collection?
  • Was consent obtained and in what manner?
  • What are the purposes for this collection of personal data?
  • Who will the information be disclosed to?
  • How is the data to be kept and how secure is it?
  • How long will the data be kept for?

Implement data protection processes

After understanding your organisation’s specific personal data inventory, the data protection officer should revisit and review the processes accordingly.

Collection, usage and disclosure are all key. Define the types of personal data that may be collected and set out how consent may be obtained and recorded. Set up processes to allow individuals to withdraw consent at any time when giving reasonable notice; ensure that individuals understand the consequences of their withdrawal, and ensure transparency by making your organisation’s personal data protection policies available to the public.

Once the processes are clearly underlined, it’s imperative to address the security element. Set out how the personal data will be protected and classify the personal data to better manage internal housekeeping. Set clear timelines for the retention of the various data and dispose of documents containing personal data that is no longer required for business or legal purposes.

With the increasingly international nature of business, companies also need to consider the implications of transferring data overseas by safeguarding and ensuring a comparable standard of protection when the data is overseas.

Every company – multinational or startup – will have different internal culture and approaches to business processes, so the above might not work for every company. However, if you can use the above as a pragmatic and flexible approach to maintaining a comprehensive and accurate inventory of personal data, you shouldn’t go too far wrong.

Ramsés Gallego is international vice-president of Isaca and security strategist and evangelist at Dell Software.

Read more from Computer Weekly’s Security Think Tank about how to maintain an inventory of personal data

Read more on Privacy and data protection