Your SlideShare is downloading. ×
Protecting your data: your at-a-glance guide and how your ICT partners can help
Protecting your data: your at-a-glance guide and how your ICT partners can help
Protecting your data: your at-a-glance guide and how your ICT partners can help
Protecting your data: your at-a-glance guide and how your ICT partners can help
Protecting your data: your at-a-glance guide and how your ICT partners can help
Protecting your data: your at-a-glance guide and how your ICT partners can help
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Protecting your data: your at-a-glance guide and how your ICT partners can help

618

Published on

How much of your business data should be kept confidential? What do you need to know to protect your data? And what role is played by your ICT partners? This guide aims to answer some of the questions …

How much of your business data should be kept confidential? What do you need to know to protect your data? And what role is played by your ICT partners? This guide aims to answer some of the questions facing small and medium-sized enterprises (SMEs). We’ll set the scene, point you towards some helpful principles and explain the role of your ICT partners.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
618
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. White paper Protecting your data Your at-a-glance guide and how your ICT partners can help
  • 2. How much of your business data should be kept confidential? What do you need to know to protect your data? And what role is played by your ICT partners? This guide aims to answer some of the questions facing small and medium-sized enterprises (SMEs). We’ll set the scene, point you towards some helpful principles and explain the role of your ICT partners. Contents 1. It’s not all about the law: it’s about a growing trend 2. What data is important and who is responsible? 3. What do you and your ICT partners need to do? 4. Appendix A 3 3 4 5 2
  • 3. 1. It’s not all about the law: it’s about a growing trend It’s about a growing trend Today, more business data than ever is being collected. Just think of your own business: there are your business plans; your confidential emails and documents; and, of course, sensitive details about your customers that they wouldn’t want you to share with others. The way data is used - or misused - regularly makes headlines in the media. Spectacular security breaches, embarrassing gaffes and IT blunders have often led to bad publicity and fines for organisations across the world. Lawmakers are keen to provide safeguards and protection. Draft legislation is being worked on within the European Union. Countries have their own laws too. But it’s difficult for authorities to keep pace with the rapid advance of technology as new challenges appear with each innovation. It’s also hard for lawmakers to strike the right balance between the right to privacy for individuals and how data enables a 21st century society to respond dynamically to the needs and wishes of the very same citizens. What’s currently driving the desire for better data protection within the European Union isn’t a new law. It’s a trend, followed by companies and public authorities that recognise the importance of being responsible for their data. Companies are taking the initiative Many enterprises are establishing their own, far-reaching data protection programmes that span their business and include their ICT partners. These programmes reflect their legal obligations and include company policies for their employees and business partners. A complex data protection policy would be overkill for most smaller businesses. But, nevertheless, it’s very important for your company to address the issue in a way that’s legally-compliant, measured and practical. The services provided by your ICT partners are relevant too. So where should you start? 2. What data is important and who is responsible? Every company will be different. But here are some helpful principles. It’s likely that your business has three different types of data that must be kept safe. Commercially sensitive Personal data that you keep information about your business about people Data covered by any industry regulations This could include your product This can be about your customers, designs, pricing and contracts, plus any employees, contractors and suppliers. legal obligations to your customers. It can include emails, records of calls and information that users key in themselves. Businesses must keep financial records for a certain period: some may do this digitally. Some professions may have specific rules about retaining data. Your company may have to control personal data. From time to time, your employees will probably add, change and delete some data. You are responsible for what data is kept and how it is used. As such, your company almost certainly assumes the role of ‘data controller’. This personal data is also processed by various forms of technology. For example, files will be worked on within applications. After being saved, they may be transported from a laptop to your server via your company network. It’s important that data is protected while it’s being created, transported and stored. This ‘data processor’ role could be your company, an ICT provider or a mixture of both. Roles and responsibilities depend on the kind of model you have for your ICT services; for example, whether all your ICT is owned and managed in-house or whether you use an ICT partner to provide services for you. 3
  • 4. This table shows who is responsible for controlling or processing personal data. ICT service model Who does what? Data controller Data processor Applications Middleware & operating system Virtual machine environment In-house Your company Your company Your company Your company Colocation Your company Your company Your company Your company Dedicated managed hosted Your company Your company ICT partner ICT partner Infrastructure-as-a-Service Your company Your company ICT partner ICT partner Software-as-a-Service Your company ICT partner ICT partner ICT partner 3. What do you and your ICT partners need to do? The European Union Directive 95/46 sets a minimum standard for protection of personal data across the EU. Some member states have adopted a stricter approach in their local laws. Each EU member state has a supervisory authority to oversee compliance with data protection laws in their country. How your ICT partners can help Important steps for you 1. With a written assurance It’s your responsibility to ensure your ICT partners support your policy. This can be formalised in two ways: Your company needs to secure its data against accidental or unlawful destruction, loss, alteration and disclosure to stay within your country’s laws. You can do this in a combination of ways: Your ICT partners can provide written assurances that your data is adequately protected by the service they provide. For example, they may do this via marketing material, contractual assurances to you, or through security standards such as ISO27001 and other certification. • By following your country’s laws on data protection (See Appendix A for some further sources of information) 2. With an audit • By introducing policies for your employees to follow to help keep your data safe • By ensuring any technology that belongs to you will support this objective • By being satisfied that your ICT partners observe your wishes for how your data is processed. Your ICT provider’s service may be audited either internally or by a third party to demonstrate it meets compliance standards. The audit covers the ICT provider’s organisation, policies, processes and systems. ICT providers may charge an additional cost if an external audit is carried out. Both ways are acceptable unless a country’s laws demand otherwise. For example, Spanish data protection legislation requires data controllers and data processors to undergo a third party audit every two years. However, Spain is the only country to mandate this particular measure. See Appendix A for information about your country. Discover more For more details about how Colt solutions can help you protect your data, please contact your Colt Account Executive. 4
  • 5. 4. Appendix A European Union Directive 95/46 sets a minimum standard for protection of personal data across the EU. Some member states have adopted a stricter approach in their local laws. You’ll find specific details and useful guidance via the links below to official websites for each country. Austria https://www.dsk.gv.at/ Belgium http://www.privacycommission.be/ Denmark http://www.datatilsynet.dk/ France http://www.cnil.fr/ Germany http://www.bfdi.bund.de/ Ireland http://www.dataprotection.ie/ Italy http://www.garanteprivacy.it/web/guest/home Portugal http://www.cnpd.pt/ Spain http://www.agpd.es/ Sweden http://www.datainspektionen.se/ Switzerland http://www.edoeb.admin.ch/datenschutz/ The Netherlands http://www.cbpweb.nl/ United Kingdom http://www.ico.org.uk/ The European Union Directive 95/46 can be found here: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046 5
  • 6. What about the US-EU Safe Harbor agreement? The Safe Harbor scheme provides a voluntary mechanism enabling US organisations to certify they will adhere to a set of data protection obligations similar to those found in European law. These arrangements are regarded by the European Union as offering adequate protection for personal information transferred to the US. Details of US companies registered under Safe Harbor can be found at the Safe Harbor website. The US Federal Trade Commission is responsible for enforcing Safe Harbor. However, US financial services and telecoms companies are excluded from participating in the scheme. The Safe Harbor certification is only valid for one year. If you use the services of any such US companies, it is important to check their certification is up to date. Colt, as a European company not subject to the jurisdiction of the US and with its data centres in Europe, is outside the remit of the Safe Harbor scheme. As explained in the previous paragraphs, Colt abides by EU and Member States’ legislation on Data Protection. What about the USA Patriot Act 2001? The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001 (known as the USA Patriot Act) came into being as a direct response to the events in the United States on September 11, 2001. It gives authority to US Federal law enforcement agencies to obtain and share information involving foreign intelligence or counter-intelligence. The risk of requests by US authorities for data held by European businesses, such as Colt, with certain linkages to the US, is realistic. Such requests could be made under the Patriot Act. However, under EU law, Colt would have to answer negatively to such requests. The US is not alone with laws reminiscent of the Patriot Act. Most EU Member States also have comparable or more extensive provisions in place for access to data in the context of law enforcement and national security. Contact Colt You can contact us on +44 (0) 20 7390 3900, email us via this form, or visit us at www.colt.net. About Colt Colt is a leading international network and IT services company. We help businesses perform better by removing the complexity around delivering and integrating IT, network and data centre services. From individual products to fully integrated solutions, we provide tailored services to large enterprise, small businesses, channel partners and operators. With a network spanning 22 European countries and an increasing presence in the U.S.& Asia, Colt deliver advanced business performance wherever our customers need it. Our customers benefit from simple, seamless solutions which cut through the complexity of IT services leaving them free to focus on core business objectivesThis is what makes Colt the Information Delivery Platform. © 2013 Colt Technology Services Group Limited. The Colt name and logos are trade marks. All rights reserved. Ref: CT-0031

×