Businesses of all types and sizes will hold information in either or both physical and electronic form that contains information regarding their staff, finances, suppliers, material supply, services and of course any intellectual property, but did you know that for all of these information sources your business would be the Data Controller and fully responsible at all times, regardless of where and who have copies or access to the information, for its’ privacy and security?

Businesses must be aware that the level of risk to information is not exclusively linked to the size of the business but instead by the nature and sensitivity of the information that the business holds, accesses and processes. perhaps received from its customers, clients and partners. It is therefore the responsibility of the Data Controller to be aware of this and to identify the appropriate strategies required to manage and reduce this risk.

A Data Controller may also be a Data Processor and more information on these terms is available on the ICO website via the link below;

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

Prior to allowing access to any personal or sensitive information the Data Controller must ensure that any Data Processor is qualified and/or certified appropriate to the level of sensitivity or risk posed to the information and this ‘suitability’ must be revisited at least annually to ensure compliance and claims made by them as to their level of ‘suitability’ as a processor must always be backed-up with real and recent evidence, and the failure to request this would leave the Data Controller at risk of possible loss and action.

As the Data Controller you must regularly review the level of risk that exists to all information within the business especially personal, sensitive and intellectual property as these are the ones that carry the highest level of risk and possible loss to the business. This responsibility exists at all times, regardless of where the information may exist and the degree of risk will rise as the level of access to information increases.

Businesses need to take a view as to what meets their needs in terms of suitably, both as a Data Controller and Processor. For individuals we would recommend Cyber Essentials and for service providers, professional advisers and IT companies, with direct access to information systems and information sources/documents and assets, certification to a standard such as ISO27001.

To help you understand how about an example  to illustrate. If you were to outsource or contract with a company to provide you with say accountancy services they will have direct access and custody of your personal information and that of staff so you need to be sure that this is secure for the time that they hold it and typically not being carried around at all times un-secured or left unprotected, or shared because if something happen to this data you are responsible for it and could be subject to action by the ICO and legal action from individuals.

If you would like to discuss how Totalview can help you with putting in-place the required strategies either as a one-off activity or ongoing then please get in contact and we can explain how we can help reduce and maintain the level of risk in your business and across your suppliers and 3rd parties.

Andrew, Director and Consultant, Totalview Consultancy Services.