Author: Himanshu Shewale
The Data Protection Act of UK is known to be one of the most stringent regulations when it comes to protecting “Personal Data”. The Act regulates how personal data needs to be protected while it is processed, stored or transmitted by the data controller. A data controller can be any entity that holds information about its customers and hence needs to comply with Data Protection Act.
One of the basic motives behind the Act is to prevent personal data from getting compromised accidentally or even deliberately. In the digital era, personal data is mostly being maintained in digital format. The principle seven of Data Protection Act talks about securing the information irrespective of its format. In general, an organization is responsible for maintaining the security of the data that it holds in its environment. Security controls implemented in this attempt need to be versatile and hence a more holistic risk centric approach would provide better outcome.
The Data Protection Act of UK-Principle Seven states:
Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Security measures appropriate for meeting the Principle Seven:
The Data Protection Act does not define the security measures that need to be in place. However, industry specific best practices and standards may impose specific security measures. Depending on the organization environment and business process, security measures will vary, but in general, Technical, Physical, Management and Organizational security measures are important for protecting personal data.
- Organizational and Management measures
Risk Assessment is cornerstone of any security assessment for an organization. Identifying business specific risks and corresponding threats and vulnerabilities helps in aligning security efforts in the right direction. Risk assessment also helps in identifying and allocating responsibility of security measures to individuals and teams in an organization.
Underestimating the organization’s internal threats is found to be one of the biggest mistakes of late. To ensure that the staff understands the importance and responsibility of protecting sensitive and personal data, training and awareness plays a vital role. Staff roles and responsibilities need to be clearly defined and ensured that security procedures are actually put in practices.
- Physical security
Technical security measures to protect computerized information are of evident significance. However, most of the security incidents relate to the theft or loss of old computers or equipment, or hard-copy records being deserted.
Physical security includes things like the quality of locks and entrance and exit doors, and whether facilities are protected by warning alarms, security lighting or CCTV cameras. However, it also involves how you perform visitor management, control access to facility, discard hard copy paper waste and media, and keep electronic portable equipment secure.
- Computer security
Computer security is constantly evolving, and is a complex technical area. Computer security needs to be appropriate to the size and use of your organization’s systems. Your security measures must be appropriate to your business practices. The measures you take must be appropriate to the nature of the personal data you hold and to the harm that could result from a security breach. Security controls are as follows but not limited to -
- Organization Information security policies, procedures and guidelines
- Logical and Physical access control
- Encryption of sensitive data during transmission and storage
- System components configuration and hardening
- Information access management
- Device and media controls
- Person or entity authentication
Information security breaches not only cause monetary loss but reputational too. The result of a breach might prove costly for an organization. Recently, a Japanese consumer electronics giant was fined heavily for 'serious breach' of Data Protection Act by the Information Commissioners office. Hackers were successful to break into the company's online store and exposed personal information including name, address, date of birth and credit card information.
How to get compliant:
- First of all organization needs to determine if there is legitimate business reason for storing, processing and transmitting personal data.
- If yes, then it is necessary to define and implement best suited administrative, physical and technical controls organization level so that the personal data handled in a fair and legal manner.
- Identifying what best suits for a particular business environment is often tough. Hence, partnering with information security specialists to identify security controls best suited for a particular environment is of utmost importance.Information security investment in
effort to protect personal data would be fruitful only in case business
specific risks are properly recognized, and mitigated timely.
Author: Himanshu Shewale,
Privacy | HIPAA | Risk Assessment | PCI DSS,