The information that is entrusted to your business by its customers must be protected not only for the sake of your brand and businesses bottom line, but also any breaches could result in heavy fines.
The Data Protection Act states that businesses must take all possible action to protect the data they collect from customers. Which means it's important to understand what level of detail your business can hold on its customers, and how the Data Protection Act impacts this. In essence, your business can only store data for 'fair processing'. In practice this means
Your business must:
- Have legitimate reasons for collecting and using the personal data.
- Not use the data in ways that have unjustified adverse effects on the individuals concerned.
- Be open and honest about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data.
- Handle people's personal data only in ways they would reasonably expect
- Make sure you do not do anything unlawful with the data.
The Information Commissioner's Office states: "Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair."
Protecting against data attacks
Data in your business can be compromised in a number of ways including:
- Exposure of sensitive data by employees either intentionally or unintentionally.
- Virus and malware attacks.
- Data removed from secure premises then lost or stolen.
- Data lost in transit due to, no, or poor levels of, security
Your business isn't powerless to act when faced with what can be prolonged attacks on its systems to reveal sensitive customer data. Follow these steps to ensure your customer's information is always safe and secure:
- Keep all of your IT systems' anti-virus and firewall protection up-to-date.
- Educate your staff about good data security policy, which means locking computers when not in use.
- Prevent sensitive customer data from being removed from your secure premises on removable media such as USB drives.
- Ensure that mobile devices such as smartphones and tablet PCs use secure connections – such as a VPN (Virtual Private Network) – when they connect with your servers to access customer data.
- Be aware of any data that is contained on obsolete IT equipment. Did you wipe the hard drives of any PC your business has disposed of?
- Backups of customer data are vital to carry out on a regular basis. Using an off-site data backup service can provide a level of redundancy to allow your business to protect customer data as part of its contingency planning.
Developing a security strategy for your business
For small businesses in particular, the customer data they contain can be their most precious commodity. Customers entrust their personal data to your business such as payment details. If your business can illustrate that it has the systems in place to protect that information, your business will become a destination that will develop into a long-term commercial relationship.
Cisco offers this advice about how to holistically approach your business' data protection:
"When dealing with something as invaluable as customer data, think about creating a unified strategy that incorporates the network, people, and tools. Security is like a chain: It is only as strong as its weakest link. Do not be tempted by a piecemeal approach. Instead, create a single, integrated strategy that focuses on return on value rather than return on investment. It helps to work with trusted vendors that can provide end-to-end security, from the network foundation to the most remote laptop. You should also find the right balance between security and usability."
The advice is clear to all businesses that they must have a robust and detailed data security policy that is business wide and is communicated to everyone within the company. Malicious attacks on sensitive data are a fact of life in a modern digital enterprise. But what is also clear is that your business can take steps to minimise these attacks and protect the information that your customers have entrusted to your enterprise.
