Information security isn’t a brand-new subject, but rapid advances in technology over recent years have made it much more challenging for organisations to protect personal data.
Although this is a global issue, the UK has recently seen the introduction of new legislation (UK Data Protection Act and EU General Data Protection Regulation) which means they could face serious fines if they don’t have the correct controls in place to secure their information.
You may have seen the news about the recent data breach experienced by British Airways, which affected around 380k transactions involving personal and financial information. They’re not alone – these are just some of the more high-profile cases faced by UK companies in recent times.
It is becoming more apparent that every company needs to take responsibility for how they manage information security, and take a comprehensive approach to how they gather, store and process personal data.
So, how can organisations protect themselves? At the moment, it is difficult to completely protect your business from all threats, but there are many things you can do to significantly minimise that risk…
GDPR Compliance
The EU General Data Protection Regulation (GDPR) is aimed at ensuring all personal information held by companies on EU citizens is acquired, processed and stored lawfully. Based on six privacy principles and eight fundamental rights, the regulation covers keeping everything from keeping data up-to-date and deleting it upon request, through to using it fairly and only keeping it for the period needed.
Businesses looking to align themselves with the requirements of GDPR will need to implement new processes and systems and update others to make sure that, and staff will require training on these changes as well as on what is expected from them.
GDPR Assessment services often combine expert knowledge with staff training, an on-site gap-analysis, data mapping and data privacy impact assessment exercises, documentation templates and action reports and help to ensure your organisation is in the best possible position when it comes to GDPR compliance.
Personal Data Protection
Businesses that frequently handle personal information belonging to employees and customers, or have the security of such information as a high priority, will need to develop processes for the acquisition, storage, handling and deletion. One of the best ways to do this is by implementing a recognised management framework in the form of a BS 10012 Personal Information Management System (PIMS).
The processes that will put in place with a PIMS will help to ensure businesses handle data sensitively and ethically, proving to their customers that any information collected about them is safe and handled responsibly. By achieving compliance with BS 10012, organisations will be able to meet legal data protection requirements and will be operating processes that follow nationally recognised good practice.
QMS can help you to implement an effective PIMS within your business, taking you through the whole process from start to certification. Our expert Consultants will perform a gap-analysis, provide staff training and offer guidance on any corrective actions needed, fully preparing you for the certification process and for maintaining an effective system.
Information Security
Reducing risk to corporate information, such as from loss or unauthorised access, involves addressing multiple factors from screening employees to implementing access controls. An ISO 27001 Information Security Management System (ISMS) is one of the best ways to put these processes in place. This internationally recognised Standard gives businesses the tools and guidance to keep both their information assets secure.
With an ISMS in place, businesses will be able to demonstrate to customers and stakeholders that they are managing and controlling information security risks as well as protecting and preserving the confidentiality, integrity, and availability of information – reassuring them that their information is secure. In addition, certification to ISO 27001 can reduce the chances of incurring fines by improving compliance with relevant laws and regulations.
The experienced Consultants at QMS will help you to identify which of your processes need improvement and will offer guidance on what you can do to correct these issues to ensure compliance with the Standard. In addition they will provide training so that you can be completely confident in maintaining your Management System and getting the most out of it.
Physical Security
Digital security of information is not the only risk to its security – printed files and documents are also at risk. Aspects of the physical security of both business premises and documents themselves are covered within the guidelines set out by ISO 27001, BS 10012 and GDPR, but another area that can be of assistance in this regard is the BS EN 15713 Standard for the secure destruction of confidential material.
This British Standard sets out industry best-practice guidelines for the secure storage and disposal of physical documents, especially those containing confidential or sensitive details. The Standard covers the whole cycle from collection to handling, transportation to storage, all the way through to the destruction of the documents.
QMS can help you to streamline your data destruction and storage processes through the implementation of a Management System certified to BS EN 15713. A qualified Consultant will visit your organisation and assess current processes against the Standard, offering advice and guidance on how to bring them inline with the Standard and get the most out of the guidelines.
So, whether you’re a global business that processes large amounts of personal data or a small start-up looking to secure your systems, there’s a service for you.
To find out more about ISO 27001, information security or how QMS can help your business, please get in touch with one of our helpful Certification Development Consultants on 0333 344 3646 or email [email protected].