It is important that we evaluate the effectiveness of our response to a breach and not just the cause. Evaluation may also flag up a requirement to review our policies and/ or procedures.
It is essential that we know what personal data is held in the office and where and how it is stored, as it is much easier to deal with a breach if we know which data are involved. Our notification to the ICO can help with this.
We should also do an evaluation of where the biggest risks lie, taking account of how much sensitive personal data we hold, and whether we store data across the business or whether it is concentrated in one location?
As identified above, we must make sure that when we share data, the method of transmission is secure and that we share or disclose the minimum amount that is necessary.
We also need to identify any weak spots e.g. portable storage devices, access to public networks, and ensure that we monitor staff awareness of security issues and fill gaps with training and /or tailored advice.