Just like a good business suit, the strongest data protection is made to measure. Why? Because draft documents, customer information, spreadsheets: every type of data you handle is different.
Depending on its importance to your business, its privacy level, the legal restrictions it’s subject to and whether employees need to access it remotely, you need different measures in place to protect your data.
If you take a one-size-fits-all approach to data protection, you’ll make your everyday information too difficult to access and leave your sensitive information too open. Learn to tailor your protection, and you can tread the right line between security and access.
How to assess the value of your data
Not sure what kind of protection you need to have in place? Ask yourself these questions:
- Is it subject to legislation? Both the GDPR and the Data Protection Act (DPA) outline how you can legally obtain, process, use and store people’s personal information. Take note of any special cases to make sure you’re not caught out. For instance: when transferring customer information from the EU to the USA you’ll need to form model contract clauses with each of your clients before you can legally transfer the data (learn more about that and other overseas office issues here).
- Is your customers’ privacy at risk? Legality aside, customers who lose personal information due to your poor security are unlikely to stay your customer, particularly when financial information is at stake.
- Do your client contracts depend on it? Some clients protect their data under certain contractual conditions; if that’s the case you need to treat that data with utmost care to both keep your client and avoid legal comeback.
- Is your employees’ privacy at stake? Under the Data Protection Act, it’s also your duty to keep your employees’ data safe. In any case, it’s essential for morale that your employees trust the way your systems handle their personal information.
- Is it business critical? If the information were lost, what would the impact be on your employees’ day-to-day jobs? The bigger the potential disruption, the greater the need for security.
- How often is it accessed? Although ideally all of your data would be placed under the highest protection available, this can inhibit how easily your employees can access it. If your team uses a shared document every day, you need to make sure they aren’t spending half their time trying to access it.
- Where is it accessed from? Your employees might need to access certain data on the go; this requires a different approach to security that keeps it safe in transit. Learn more about that here.
How to tailor your data protection approach
Now you understand your data a little better, you can work out how to tailor your protection to suit. You can set up:
- Password protection. All of your systems should be password protected, meaning your employees have to log in to access the information on your network or via a secure app. For more sensitive data, consider two-factor authentication.
- Information rights management. You should fine-tune the way you allow your employees to access data, depending on the type of data and the reason they need to access it. Sensitive employee information, for instance, should only be viewable by your HR department. Meanwhile, documents that all your employees use, but only a few edit, you should set to view-only for the majority.
- Remote access. Remote working is great but it opens up other security risks. For instance, criminals can access unsecured Wi-Fi networks and steal information as it’s being sent across the network. Data that is too valuable to lose, and not essential for remote use, shouldn’t be accessible outside of your private network. Any data that is accessible should always be encrypted when in transit and ideally you should have a virtual private network (VPN) that allows employees to access your network securely.
- Mobile access. On-the-go access from mobile devices brings a further layer of security risks. Follow our advice for secure mobile working and make sure your employees aren’t using rogue apps to access any data. They should always use company-approved apps which allow you to retain ownership of the data and implement information rights management.
- Network monitoring. Network monitoring tools allow you to manage, monitor and restrict what data is sent out of the office. This is critical, especially if you're sending important files to clients or customers.
- Version control. Version control software lets you keep track of any changes people make to key documents, and revert to earlier versions if necessary.
At first glance, you might think that data protection is a one-and-done task. But the complexities of regulations and requirements mean a single ‘padlock’ just won’t work in the modern office. Whatever information you’re handling, if you want to keep it (and your business) safe, you need to take a tailored approach.
- Do you need a Data Protection Officer under GDPR?
- Cyber security training for SMBs: free resources and courses in the UK
- Why your small business needs a documented IT security policy
- How good IT security helps your business grow
- 4 reasons why data protection matters for growing small businesses