Data protection and being compliant to it.
* Disclaimer. I am an Information Security Management student. These blogs are based on my opinion, experience and knowledge gained during my study and internships. *
Data protect isn't something to take lightly. You are storing information from your users/customers. Some of you think you will only store/save names, but in reality you are storing much more then that.
What are you possibly storing?
Name, Address, Sex, Age, Credit Card, Phone numbers, religious preferences and more. But there is more. You are also storing ip-address, mac address, documents, e-mail, transactions and more.
We are storing more and more every day because technology and regulations require us to do so legislation in place. It is called a Data Protection Act (DPA) and different from continent to continent and from country to country/state to state.
But all of these acts have a baseline. That baseline is -
Fairly and lawfully processed.
Processed for limited purposes.
Adequate, relevant and not excessive.
Kept no longer than necessary.
Processed in accordance with the data subject's rights.
Transferred only to countries with adequate protection.
You are storing data of people and they have rights as well. They have the right -
to view their own data
to alter this data to a certain extent to maintain and ensure the integrity of their own information.
As a company you need to assign someone who is responsible for the data. Most of the times this is management (CEO/CIO or even Board of Directors). He/she could also be the contact point for requests from i.e. law enforcements, unless different specified.
Now as we're going online full-time with a lot of businesses, more data will be stored. So you should follow some important rules.
Rule 1: Fair obtaining
Rule 2: Purpose specification
Rule 3: Use and disclosure of information
Rule 4: Security
Rule 5: Adequate, relevant and not excessive
Rule 6: Accurate and up-to-date
Rule 7: Retention time
Rule 8: The Right of Access
All these are easy to implement and maintain.
The hardest requirement to be compliant for is "Kept no longer than necessary". One simple explanation is, we make backups of the data everyday or at least I hope you do. And when is "no longer than necessary"? You need to determine that as a business. And set controls to be compliant with that requirement.
Data Protection Act - Wikipedia with all countries and more detailed information.
I hope these last few posts have helped some of out and gave them a bit of an awareness that they are not just running a business, but also have to comply with legislations and industry standards.
Please leave some feedback and tips on how to improve these blogs. Also leave questions you want me to answer.