A sensitive subject
What security measures are necessary when handling personal data?
It all depends on how sensitive the data is. We can help you work this out by drafting an internal security policy document mapping the kinds of personal data you handle and the associated risks. Once this is established, we engage a security expert to suggest the measures you should implement. We’ll review these together to ensure that you get the level of protection your company requires.
Do my subcontractors also have to take security measures?
You’re legally responsible for ensuring that any subcontractors you hire take sufficient measures to protect and secure personal data. The best way to do this is to make sure your contract includes this obligation, as well as provisions for monitoring compliance. Informing users and the supervisory authority about a data breach is mandatory as of 1 January 2016. However, we would go further, and recommend that you ask for regular reports on subcontractors’ security systems.
When should I use encryption?
As you’ve probably guessed by now, there aren’t many hard or fast rules about security, but encryption is a solid (but not infallible) way to protect the confidentiality of personal data. Whenever there’s a high risk that this confidentiality might be compromised, you should seriously consider encrypting data. Like, for example, when using forms on a website which collect personal data, or storing sensitive data that might easily be lost (e.g. on a USB stick).