Any website owner who stores or processes data on behalf of its customers should have an up to date data protection policy and a security policy in place to minimise the risk of being subject to a cyber attack.
Such policies should include details of how employees and third parties should handle customer data on behalf of the website owner and how the website owner will ensure compliance with its policies and procedures.
Data Protection Policy
Under the Data Protection Act 1998 (DPA) if you process the personal data of customers i.e. their email address, date of birth, name etc. you must have in place:
- appropriate organisational measures to prevent the unauthorised use of personal data; and
- effective policies and procedures for handling personal data.
In order to show that you have appropriate organisation measures in place you should have a written data protection policy that all staff have read, accepted and understood. This should be regularly updated to reflect changes in the law and staff should be provided with basic data protection training on a regular basis.
Additionally, if the new draft EU Data Protection Regulation comes into force, you will be required to inform customers and regulators about personal data breaches without delay and where feasible, not later than 24 hours after becoming aware of such breaches.
Failure to comply with the above duties will expose you to the risk of being heavily fined by the Information Commissioner’s Office (ICO) for breaches of up to 2% of your global annual turnover.
Information Security Policy
Similar to the data protection policy you should have a written information security policy in place and ensure that staff are aware of and are suitably trained to observe the policy when carrying out their duties.
This should as a minimum cover the following issues:
- limiting the number of people who can access key information;
- monitoring user activity;
- controlling who can access customer information;
- having a mobile working policy for staff;
- ensuring that all devices contain security features;
- having a plan for responding to cyber attacks;
- testing the security plan.
Having the above policies and procedures in place before being requested to implement them by anxious customers will not only help you to avoid potential fines but can also be used as a marketing tool to show that you are one step ahead of the competition.