Find out what you've got. An audit or review of the data you hold is the first step towards protecting it. 'Look at the data you are holding in different classes - for example customer or employee data,' says Simon McDougall, head of Deloitte's UK privacy and data protection team. 'You need to get a feel for the volume of data in each class, how it is used, and where it is held.'
Evaluate your overall risk profile. The sensitivity of the data, and the consequences if it got into the wrong hands, should help determine the level of investment and detail you need to apply in protecting it. Organisations in health or financial services typically need to devote greater resources to the issue than those in food or transport.
Adopt a standard. ISO 27001, based on BS 7799, sets out the requirements for an information-security management system, and covers policies as well as controls in the areas of people, process and technology. The main legislation you need to comply with is the Data Protection Act 1998.
Encrypt. The first question asked when data is lost is: 'Was it encrypted?' Mick Gorrill, assistant commissioner at the Information Commissioner's Office, says: 'It's essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information - for example, password protection and encryption.' Look at applications that ensure only encrypted data can be exported, or even at closing down unregulated channels such as USB ports on computers.
Restrict access. Allow access to personal data only to those who need it. Design your call-centre software so that operators can see details of only one customer at a time. Review regularly to check you're not holding on to data you no longer need. 'By doing so, you avoid storage costs and reduce the amount of worry,' says McDougall.
Assign responsibility. Avoid a silo mentality when it comes to data privacy; a holistic function such as information risk or information governance should take overall responsibility, superseding the roles of data protection officer and information security officer. You can give individuals or teams responsibility for specific sets of data but don't give them power to override your controls.
Change your culture. Your people can either be your last line of defence or your Achilles' heel. 'Through your culture and training, you need to embed an awareness that data has a value that goes way beyond the 0s and 1s,' says McDougall.
Do say: 'Personal data is one of the most valuable assets we hold and we will protect it accordingly.'
Don't say: 'Never mind what was on the laptop! Who's going to pay for a new one?'