This is the fourth of our posts helping senior partners manage risk around backup and recovery. So far we’ve helped you get some reporting, documentation and set some minimum standards.
If your standards do not consider the law, now is the time to change that.
Compliance work is not much loved. This post helps you start.
Whatever decisions you are about to make – take good notes. The General Data Protection Regulation (GDPR), in May 2018, increases your accountability for protecting personal data.
When a breach happens you don’t want to be scrabbling around trying to remember what you decided and why you thought it fulfilled your responsibilities. Think it through and write it down. It will save you stress knowing you can justify your actions.
Here are the key legal areas you need to wrap your head around:
- We are all subject to the current Data Protection Act and will be to the upcoming GDPR.
Make sure you cover your basic responsibilities, such as: where is your data stored, is it encrypted, how do you control access to it?
The Information Commissioner’s Office has fined a firm for a breach where sensitive data was in a locked room with controlled access but not encrypted.
- What industry-specific legislation affects you?
Let’s say you are an accounting firm – you have specific responsibilities. HMRC says you have to keep records for six years. Accountants tell me there are exceptions, but you need a good reason. How do you take account of those exceptions?
- Does the way you work impose any extra responsibilities?
For example, if you use credit card holder data you may also be subject to Payment Card Industry Data Security Standards.
It’s not fair to delegate considerations like these to your IT guys. Senior partners have to help set standards for backup and recovery. Managing your firm’s risk means balancing care of clients, the law, budget and technical solutions.
If you are stuck working this out, don’t struggle alone, get in touch. We are experienced in helping senior partners navigate these tricky waters. Email or call me: firstname.lastname@example.org or 020 7572 0000.
Our next post looks at your staff. Having the very best backup and recovery plan is useless if nobody is following it.