Published 20th of March 2018
Most companies control confidential data of some kind, even if it only concerns their own business. If this data goes walkabout it can lead to all kinds of risks from business fraud and other criminal offences, and for those holding the data of their customers, looming EU-wide GDPR changes make data safeguarding more crucial than ever.
We’ve talked about different kinds of data protection initiatives at length in previous blogs. Our hope with this article is to build on what we’ve already written and provide some more ideas that we haven’t yet mentioned.
Clear company policies
If you want any safeguarding initiatives to succeed for the long term, they need to be specified in company policy. We’ve written about some different policy types in the past, like a clean desk policy and a document retention policy, but you can draft some more general guidelines if you don’t want to be that specific.
Whatever route you choose to go down, your policy should be made clear to all employees and readily accessible for them. Whenever a new employee joins, they should be guided towards the policy and trained in anything they specifically need to be aware of in their role. Similarly, if you implement a new policy or make significant changes to the current version, all employees who are affected (which may be everyone) should be made aware of the changes and should have a point of contact to whom they can bring any questions they might have.
Clarity and transparency are the keys to successfully bringing your team on board with any policy designed to safeguard confidential data.
Keep track of where confidential data is kept
Practically, at the heart of every effective confidential data policy there should be a way to keep track of where that data is being stored. Without this kind of log, there’s no way to know if all your data is as secure as it needs to be.
For this log to be effective, it needs to help employees to locate both physical and digital records, without giving access to someone who shouldn’t otherwise have it. If you have a physical filing system or you’re storing documents off-site, you should be logging the location and any other details needed to ensure that the correct document can be retrieved by an authorised person.
Similarly, if documents are stored digitally - on the cloud, on an internal network or on a specific hard drive - you should keep track of all the software and hardware being used to hold them. This can be harder than identifying physical locations, but is just as crucial if you want to make sure that only the right people have access.
Give access only where necessary
Building on that previous point, controlling access to confidential data is absolutely essential. Each employee should have access to the data that they need to be able to do their job, and nothing more. Every point of access to a specific confidential record is a risk for a company, and you should be actively minimising that risk.
When it comes to deciding who should be able to see what document, it pays to be overly cautious. If you have any doubts over whether or not someone should have a certain level of access, err on the side of safety. It’s much easier to retrospectively grant access to a document or folder than it is to deal with the consequences of someone seeing something that they shouldn’t have.
In addition, be rigorous in changing access rights whenever someone leaves the company or changes roles in such a way that the documents they don’t need to see the same documents. If someone leaves the company, their access to all digital data should be deleted and any passwords should be changed.
In the same way, if someone changes their role internally you should alter their access accordingly and, once again, change all passwords. You might be tempted to let it slide if the move is internal and you trust the person changing roles, but too many employers have been burned by someone that they thought was loyal for it to be worth the risk. Again, if you have any doubts over what to do, err on the side of caution.
Control of activities beyond the workplace
Things become trickier when you consider access to information beyond the confines of the office or workplace. It’s becoming increasingly common for companies to adopt a ‘bring your own device’ (BYOD) policy, whereby employees can use their own phones or laptops for business activities, or for companies to allow employees to take their work devices home with them. Less commonly, employees may need to remove physical documents from the workplace to take them to a meeting or for use in another workplace.
Whenever a device or document containing confidential information leaves the office, it open that data up to a new level of risk. The degree of control that an employer has over where that information goes and who can see it is severely limited, but the risks can be mitigated by thorough training and by being cautious with the access that different employees have to information.
If you allow employees to take information away with them, make sure they know the risks and the importance of ensuring that no one from outside the company - even friends and family members - should have access to the documents in question.
Removing risk wherever possible
The theme of much of this article has been that you should do everything in your power to limit the risks your company is exposed to through its confidential data. The final piece of the puzzle is to ensure that data only exists as long as its needed. Documents that are out of date or unnecessary for the ongoing operations of the company should be deleted or destroyed; old hard drives containing sensitive information should be disposed of according to regulations and access to data that is no longer required should be removed.
Much of this can be handled internally through the use of up to date logs of the data that’s being kept around, but companies like the Shredall SDS Group exist to help you take that extra step when it comes to secure storage and destruction. We can help you to securely destroy large quantities of physical documents and we provide an off-site storage option if you would prefer to store sensitive documents away from vulnerable office premises. Get in touch with us today to find out more.