In a recent blog I talked about the need to identify what personal data is held and this is something I wanted to elaborate on today, particularly in relation to knowing where that confidential data is stored.
This may sound like an odd topic, as I’m sure many of you are thinking you know exactly where all your businesses data is held. But do you really?
A recruitment agency’s data is precious, and much of that data is personal, including names and contact details for your clients and your staff and extensive personal data about your candidates including their resume, all of which is governed by the Data Protection Act and forthcoming GDPR legislation. Then there’s likely to be details of contracts, offer letters, and a wealth of other commercially confidential data relating to agreements, IP and email correspondence.
And the scary reality nowadays is that your business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-party organisations? Or copies of data taken for backup purposes?
Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.
So do you really know where all your data is held? And does it matter?
Well the more widespread and less controlled your data is, the more vulnerable you leave your business to a breach of data security or data integrity. And with GDPR on the way, any such breach leaves businesses open to potentially crippling fines of up to €20 million and immeasurable reputational damage.
So understanding what data you hold, where it is stored and who has access to it forms one of the first key steps to compliance.
If your data is very disparate, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built several of our clients their own private cloud solution where all their data is brought together in one secure, central, UK-based repository, where they and their authorised business partners can access it securely wherever they are, without the source data ever leaving the security of the UK-based data centre.
For other clients, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement business processes and technologies to prevent data leakage and manage mobile devices.
Either way, it is paramount to put the business back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the management team have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts businesses back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.