Even though your IT department will do much of the work regarding information security, your board is ultimately responsible for preventing data breaches and other disruptions. Top management must therefore work with staff to make sure everyone is taking the necessary steps.
Of course, this is easier said than done. Most board members aren’t information security experts, and the subject is so vast that no one should expect them to be. However, the basics are easy enough to grasp, and that will be enough to help them understand the measures that need to be implemented.
How actively the board pursues these issues will depend on the organisation’s structure and culture, but there are four questions that every senior member of staff should be able to answer.
1. What personal data to we have on file?
Personal data is the lifeblood of many organisations. They need that information in order to operate, whether it’s for marketing activities, consultancy, research, customer service or HR activities.
With the introduction of the GDPR (General Data Protection Regulation), it’s more important than ever for organisations to know what data they hold and why they’re processing it. Board members obviously don’t need to be capable of recalling this information off the top of their heads, but they are responsible for approving processing activities. As such, they should take the time to review the organisation’s data processing policies and designated legal grounds for processing.
2. Should we appoint a DPO?
A DPO (data protection officer) is responsible for monitoring an organisation’s data protection practices and regulatory compliance. Organisations within the scope of the GDPR must appoint a DPO if they:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
This isn’t to suggest that other organisations needn’t appoint a DPO. After all, everyone can benefit from expert guidance on information security. It’s therefore worth considering appointing a DPO, but whether you go ahead will depend on your resources and your ability to find a qualified professional.
3. What tools and processes do we use?
There are many technical and organisational processes that can be used to keep data secure and reduce the damage of successful attacks. This includes things such as data encryption, staff training, backups, access controls and protecting your physical perimeter.
Board members don’t necessarily need to know how each of these things work, but they should take the time to understand the threats that each process addresses. This will give them a better understanding of their organisation’s security posture.
4. Are we prepared for a data breach?
This is the most important question. Board members should be confident that their organisation is capable of acting quickly when a breach is identified because, as noted earlier in this blog, they will ultimately be held accountable.
The good news is that, unlike the other questions, this one has a simple yes or no answer. You either have all the necessary measures or you don’t. What’s more, you don’t need to be an information security expert to work that out. All you need to do is complete our breach readiness questionnaire.
This simple survey asks you about the measures you have in place, and scores you on your readiness for a data breach. We’ll then give you a detailed summary of your information security practices, explaining what you can do to improve your score.