Friday, 26 November 2010

Data Protection and CRM

If you live in the UK you probably can’t have missed the recent Data protection news items:

“The ICO imposed penalties on the Hertfordshire County Council of £100,000 for twice misdirecting faxes and on employment services company firm A4e of £60,000 for failing to encrypt 24,000 personal records on a stolen laptop” - www.computerweekly.com

In the UK at least, the Data protection act of 1998 is in place to protect individuals personal information that may be held by various agencies or companies.

The full act is, I have to say fairly complex piece of work (if you are interested you can read the whole thing here

So what does that mean for companies with large databases of customers or potential customers? For example, a company with a CRM system. This could be used for Lead management, Customer relationships, Case management. What can Companies do to avoid the sort of problems faced by HCC and A4e?

The ICO (Information Commissioners Office) has a number of general guidelines that are at the very least a baseline for adherence to the Data Protection Act:

For computer security: 

  • Install a firewall and virus checking on your computers. 
  • Consider upgrading your operating system 
  • Protect your computer by downloading the latest patches or security updates,  which should cover vulnerabilities 
  • Only allow your staff access to the information they need to do their job and don’t let them share passwords  
  • Encrypt any personal information held electronically if it will cause  damage or distress if it is lost or stolen 
  • Take regular back ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information 
  • Don’t dispose of old computers until all the personal information on them has been securely removed (by using technology or destroying the hard disk) 
  • Consider installing anti-spyware. This protects against software that can be secretly installed on your computers. It can monitor use, look for private information or even give someone else control of your computer.

For other security: 

  • Shred all your confidential paper waste.
  • Check the physical security of your premises. 
  • Train your staff:
    • so they know what is expected of them
    • to be wary of people who may try and trick them into giving out personal details
    • that they can be prosecuted if they deliberately give out personal details without permission
    • to use a strong password - these are long (at least 7 characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols
    • not to send offensive emails about other people, their private lives or anything else that could bring your organisation into disrepute
    • not to believe emails that appear to come from your bank that ask for your account, credit card details or your password (a bank would never ask for this information in this way)
    • not to open spam – not even to ask for no more mailings. Tell them to delete the email and either get spam filters on your computers or use an email provider that offers this service

There is also the subject of data encryption. Again the ICO has some guidelines on this but the crux of the matter here I think after the recent cases is to look at you information systems, whatever they may be and as a first stop, make sure you’re adhering to the guidelines above. Check out the guidelines on Data Encryption.

I’m sure the cases above won’t be the last we’ll see, so make sure your data procedures are compliant before you’re the headline.

Posted by RP at 09:41

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)