PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - April 2008

I don’t know where to start to find out if my company is at risk of a data breach and with all the news coverage of what is happening in other companies, I’m concerned. Can you point me in the right direction?


Start with the UK Information Commissioner’s website, – there’s a good deal of information there to help you in your quest.

But to prime you for that exercise, here’s a list of eight things that you should consider. This list is not conclusive but it might prompt you to decide if you can comply with the UK Data Protection Act’s seventh principle on ‘technical and organisational measures’ and the eighth principle on transferring data outside the European Economic Area (EEA).

1. How is physical access to your building and your office controlled and monitored? Do you know for certain that everyone who has access to your office while you are there (and while you are not) has a reason to be there and data security procedures to follow? Have you vetted operatives of cleaning or maintenance companies, for instance?

2. Do you prevent access to your terminals or servers by password or encryption?

3. Do you always encrypt data when you are transmitting via electronic or physical means? The Information Commissioner’s Office (ICO) considers that passwords are not sufficient.

4. Have you notified the ICO if you are transferring data outside of the EEA?

5. Do you have data processing contracts or model contracts in place for suppliers of outsourced services both in the EEA and in countries without ‘adequate’ protection? (Or, of course,
Safe Harbor or Binding Corporate Rules where these may be used).

6. Have you visited the premises of your suppliers to ensure that they have at least the same level of data security measures in place as you do?  

7. Do you have internal policies about data being removed from your premises? As the Data Controller you are responsible for instructing your employees or contractors how to protect your data if it leaves the (relative) safety of your office.

8. Do you keep your staff informed of your policies to ensure that they understand the legal and commercial imperatives to keep data secure in your company? If not, they may accidentally commit a breach without your knowledge. You have a duty of care to your staff, as well as legal responsibilities.

 Data security must be taken seriously for the good of your company, your staff and your customers – data may be your most valuable asset.

Other recent items: