This may sound like an easy question on the surface, telling me exactly where your clients’ data is, but it goes quite a bit deeper than that. See, I don’t want you looking on your network now, I want you to tell me, off the top of your head, where ALL (every. little. bit.) of your clients’ data is stored. If you are even remotely unsure, your answer is “no“.
Suddenly it’s not so easy. Part of your Data Privacy exercises needs to be in knowing exactly where you keep data and ensuring that your policies, procedures and staff members adhere to these requirements. The reason I ask the question in this manner, without you looking at your network, is that if you have a breach whereby a laptop is stolen, a hard drive goes missing, or a backup tape just vanishes, you have to be able to respond to the forensic investigators as to what has been stored on that particular medium.
Part of Data Privacy law is the act of notifying your clients if there was a breach (or potential breach) to their information. If you don’t know whose information was breached, you then need to notify your entire clientbase that could have been affected by the missing device. Hardly a reputational boost, and under GDPR you need to give notice within 72 hours, hardly enough time for an investigation!
The reputational aspect is not the only consequence of this. In these cases, you will need to bring in forensic investigators to identify how the breach happened and what was potentially on the device. These costs can very easily run into hundreds of thousands of Rands / tens of thousands of Dollars!
Lastly, in addition to the above, if you do not know what data is where, there is a likelihood that you will also be fined by a regulator, or face other consequences such as a breach of non-disclosure with clients or contraventions of other related laws.
If you know exactly what is where, and you have it documented, you stand in a much better stead for defending yourself and avoiding the massive penalties across the board. Knowing your data structures should allow you to easily respond and identify whether in fact a breach has occurred, or if the device stolen didn’t contain material data. Ideally, you want to have a policy that dictates where data is stored, and have adequate protection measures in place to ensure that data cannot go missing from this storage.
If the regulator comes a-knocking, you want to be able to hand over paperwork detailing what was where, and that you took measures to protect it. Failing that, you’re going to land up in hot water. As the old adage goes, “he with the most paperwork, wins”.
A good idea all round is to obtain cyber insurance / cyber liability insurance coverage (CLIC). This is a policy that will assist in damages, investigations, monitoring, notification and a whole lot more. Even if you are handling data responsibly, and know where everything is, I’d recommend having this insurance in place.
If you need help in putting your policies, procedures and processes in place, why not reach out to us for assistance. Contact us today for an exploratory meeting.
Ross G Saunders Consulting was founded in 2015 and specialises in Data Privacy, Information Strategy and Process Engineering. Their clients include software development houses, graphic design agencies, law firms, and various other verticals. They pride themselves in technical expertise; business acumen; and proven experience in technology, business and innovation. They deliver services through a network of professional consultants specialising in all things privacy related, from law to IT technical assistance. Enquire about services offered today, and take control of your Data Privacy and Information Security.