How can we make sure that the data we process is properly secured?

Your organisational action plan to secure the data you have will depend on a wide range of factors: for example the types of data you store, how sensitive it is, how much you have, how complex your digital infrastructure is, and whether you have in-house digital security knowledge or choose to outsource. At minimum, however, you should take the following steps:

  • List what personal data you hold and map out where you store this data.

  • Do a risk assessment, pinpointing the most likely sources of unauthorised access/leaks.

  • Implement a data protection action plan that builds on your risk assessment, which includes: data minimisation (collect, process and store only the data you absolutely need); access control (limit who has access to personal data); storage security (where do you store personal and/or sensitive data? Is it stored separately from non-personal/non-sensitive data? Is it stored encrypted?); staff digital hygiene; and a data retention, archiving and deletion policy.

  • Test the security of systems that store personal data (servers, email, archives etc.).

  • Write down all the actions you have taken to protect the personal data you have.

  • Set up and test a data breach action plan, which should include roles and responsibilities, reporting to the DPA, and so on.

  • Put together a plan for periodically revisiting these steps.