You need to ensure you have the requisite procedures set up to manage the information risks in a structured way.
To manage the risks involved you have to have a clear understanding of what is involved. This covers you and any data processors you use.
You will need to identify a senior person in your staff to oversee the entire risk profile from data management this is likely to derive from an Information Audit. Ideally they already report at Board level so that they have the standing and gravitas to be taken seriously with the organisation.
This senior person will end up co-ordinating:
- procedures to address the risks - which includes checking:
- plans to mitigate the risks
- the recording and tracking of risk assessment data assets (ie everything you have that is either data in its own right, or controls that data (programmes, people, protocols etc)
- monitoring of how well the procedures are followed:
- within your organisation
- by the data processors working for you
- reporting to the Board:
- keeping them aware
- alerting them to weaknesses
- alerting them in the event of data breaches
- alerting them to developments in the data security field
The natural approach is to:
- identify the risks:
- identify what can be done to mitigate those risks through a range of options:
- changing how the tasks are undertaken
- passing the responsibility to someone else
- deciding not to undertake those actions altogether
- draw up the appropriate plans to implement such changes so that the resultant systems are as low risk as you can sensibly operate while still achieving the tasks you are set out to do. This forms part of the Data Protection by Design approach.
- determine the residual risk that remains once all mitigation and alterations have been made – and determine the optimum way to make this the way the organisation operates in the future.