In today’s digital age, keeping your organisation’s data and information secure has never been more important. Businesses not only face the threat of cybersecurity breaches, but also the ramifications of data privacy and protection legislation. Failing to have a customer or client’s data at hand – and being able to easily delete it – can put you at risk of being penalised.

Handling data and information properly means having a system in place to centralise, organise and secure it. While there are many ways to achieve this, data protection goes beyond the system you store files on, and into the practices and behaviour across your organisation. Here are some tips on how best to handle your organisation’s data and information policy, including what this policy should consist of, and how to implement it without putting data at risk.

Benefits of a data and information policy

Every organisation should have a clearly defined policy on how data and information is handled. A consistent and well-documented approach helps organisations and their employees to ensure that all information is handled appropriately and securely, and minimises the risk of data loss or misplacement. This will not only protect you from liability, but also make the data retrieval process more efficient.

A data and information policy also helps to ensure that data is kept secure. By storing confidential paper based records or electronic information securely, you will reduce the risk of unauthorised access, leading to data becoming compromised. As well as protecting you from legal and financial penalties, being able to demonstrate good data security will offer reassurance to customers and clients, making them more likely to develop relationships with your business.

Finally, a data and information policy provides clear best practices for employees. Data security and handling can be a blind spot for many people, particularly as many of us freely part with personal information when using our own devices. As a business with a responsibility for people’s data – and stricter legislation than some major countries – your policy will help to educate employees, and give them a clear set of guidelines on how to manage data safely.

How to classify data and information

Before implementing a data handling policy, data and information first needs to be categorised based on its sensitivity. An example data classification scheme adopted by many organisations is as follows:

• Public – e.g. publicly posted press release
• Internal – e.g. work instructions, policies and procedures
• Confidential – e.g. employee payroll information and customer records
• Regulatory – e.g. payment card and health care data.

Classifying the data and information you keep will help you to provide different levels of security and oversight depending on its sensitivity. More pointedly, it will help you to organise it into clear silos, making it easier to locate whenever you do need to access, modify or remove it.

What to include in a data and information policy

A data and information policy may consist of several documents and processes which address different aspects of data storage. Together, they should form a cohesive and holistic approach to the use of data within the organisation, ensuring that it is stored and handled correctly, in a manner that retains privacy, guarantees security, and which enables it to be quickly located when required.

Secure storage for electronic records can be achieved by an access controlled computer application, either on a local or remote server. This should employ strong data encryption and access control, so that only approved persons can access the data, that access attempts are logged, and that the data cannot be intercepted en route from the server to the client machine.

If your organisation hold personal data, it is good practice to establish standard retention periods for different categories of information, something that can be defined within a Data Retention Policy. This should take account of any regulatory requirements that may apply, such as healthcare and finance related Acts which can dictate the required data retention periods for specific records.

For personal data that falls outside of any regulatory requirements, organisations should also refer to the UK Data Protection Act. A simple application of data protection law is to regularly check for any records that are not being used, and consider whether they need be retained. When data is no longer required by an organisation, it needs to be disposed of securely to reduce the risk of the unauthorised disclosure of sensitive information.

Any approach adopted should ensure that the information is appropriately secured, and only accessible by individuals or teams within a business on a ‘need to know’ basis. Your policies should also encourage staff to always think before exchanging information. Any exchange of information – whether this be internally, with third party partners, or with customers – should occur using secure protocols, with the methodology being based on how you’ve classification the information.

ISO accreditation

Due to the complexities of data management – particularly in a large organisation – many businesses opt to pursue an ISO accreditation, or delegate responsibility for their data management to an ISO accredited company. An ISO 27001 – Information Security Management accreditation demonstrates that you have implemented an effective information security management system (ISMS) to manage data in a secure and uniform way.

Our Sota Protect service includes a GDPR compliance assessment and our advanced data protection technical program. All of this is backed up by our own ISO 27001 accreditation, which ensures that we manage and safeguard data to the highest global standards. To find out more about the best way to handle your organisation’s data and information policy, or to discuss Sota Protect, get in touch with us today.