Legal Talk 16: How Do I Become Legally Compliant with Data Security?
We are meeting quickly before work. Data breaches and hacking are beginning to worry you. I can understand why. Data breaches and data hacking have been in the news quite a lot lately, I read this link this morning, shocking! https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/
You've started to gather email addresses and customer information and you just want to understand what you have to do legally to keep this data safe. You want the highlights because you just want to show investors that you have done what the law requires you to do to protect data.
Okay. So here are the basics from the legal stand point:
1. Under data protection law, Principle 7 talks about data security. It is fairly vague in that it says that you need to take "Appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
So, you say, what constitutes "appropriate technical and organisation measures"? Well, the Regulator says it depends on the details of each case. So unfortunately, there is no clear benchmark; it's very subjective.
2. "What do I do?" You say. Okay, well there are 7 actions you can do to try to meet this standard of taking "appropriate technical and organisational measures". This will give some comfort to investors & partners etc. and could also avoid or mitigate any regulatory action from the Regulator if there is ever a data breach.
1. Written Policies: have a security policy in place (and review it regularly). You can find security policies which you can adapt from the internet and get your lawyer (me at the moment) to cast an eye over it. You can have a major breach plan and this would include elements such as:
(a) containment + recovery: this will detail how you go about trying to fix things.
(b) assessing the risks: figuring out how people might be affected by any data breach.
(c) notification of breaches: figuring out if and when you need to notify the Regulator of any breach.
(d) evaluation and response: figuring out what caused the breach and trying to update policies and actions accordingly.
2. Accountability: nominate one of your co-founders to be in charge of and accountable for, data security.
3. Training: train your staff so they are fully aware of how personal data can be lost or hacked into (and the consequences of this, which are not only reputational damage to your business, but also penalties from the Regulator).
4. Access to Premises: ensure that your premises are secure and don't allow access to premises or equipment to anyone outside the organisation unless there are additional security measures in place to ensure they do not damage or lose data.
5. Access to Equipment & Data: have data encrypted and password protected on laptops and PCs so it is not easy to access for anyone who is not authorised. Also, if people are working from home, or if you are using the Cloud for storage then take some time to figure out ways to make things more secure to avoid data losses.
6. Third Parties: If you have sub-contractors or other people managing your data (e.g. data warehouses) then you need strong contracts in place to ensure that they will keep your data safe and that they have proper measures in place, should a data breach ever happen.
7. Business Continuity: have business continuity arrangements that identify how to protect and recover any personal data.
"Seems like a lot of stuff to do" you say. Yes, but I think that you can actually capture a lot of this in having the right paperwork in place and just taking sensible measures to keep data safe and secure.
"Okay, so I'll just put this in place and everything should be okay?" You say. Well, it's a good platform, but do remember that because principle 7 of the regulations is so vague you can never have a definitive list of things to do. However, if you follow the actions just listed then it will get you a long way to ensuring you are legally compliant on data security.
"Got it" you say. You are pleased that you have at least got something to work on re: data security. I'm very much enjoying helping on your tech start up journey.
You say you will call me with any follow up questions and with that you wave goodbye.
Your Legal Coach
P.S. Don't forget to subscribe and get even more exclusive content and legal insight. As always, this legal talk and all the legal talks are subject to our disclaimer, which you can find here.
© 2019. Coaching Law Limited. All rights reserved.