The ICO exists to empower you through information.

Step 1 of 5: Management and organisational information security

1.1 Risk management

More information

Before you can establish what level of security is right for your business you need to review the personal data you hold and assess the risks to that information.

You should consider all processes involved as you collect, store, use, share and dispose of personal data. Also, consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach.

You can then begin to choose the security measures that are appropriate for your needs.

In addition, as part of a data protection by design approach, you should conduct a data protection impact assessment (DPIA) in specific circumstances to assess privacy risks. You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

1.2 Information security policy

More information

A policy will enable you to address security risks in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific policies.

Your policy should clearly set out your approach to security together with responsibilities for implementing it and monitoring compliance.

You should have a process in place to ensure that you review and approve policies and procedures before implementing them and set review dates when required.

It is good practice to have a template document in place, which outlines the agreed style that all policies, procedures and guidance documents must follow and communicate this to relevant managers and staff.

1.3 Information security responsibility

More information

It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring your security policy. They should have the necessary authority and resources to fulfil this responsibility effectively.

For larger organisations, it is common to appoint 'owners' with day-to-day responsibility for the security and use of business systems.

Without clear accountability for the security of systems and specific processes, your overall security will not be properly managed or coordinated and will quickly become flawed and out of date.

1.4 Outsourcing

More information

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services.

There must be a written contract between you (the controller) and the service provider /processor (or other legal act). These contracts must include certain specific terms, as a minimum, including security standards.
As controller, you are liable for overall compliance with the UK GDPR and for demonstrating that compliance. However processors do have some direct responsibilities and liabilities of their own.
You must be satisfied that any processors you use treat the personal data they process for you securely, in line with the requirements of the UK GDPR.

You must choose a third party provider or processor that gives sufficient guarantees about its security measures. To make sure they have appropriate security arrangements in place, you might, for example, review copies of any security assessments and, where appropriate, visit their premises.

The contract with the processor must include a term requiring the processor either to delete or return (at your choice) all the personal data it has been processing for you. The contract must also ensure it deletes existing copies of the personal data unless EU or member state law require it to be stored.

If you use a third party service provider or processor to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.