Skip to main content
Hafan

Keeping data secure

What security measures do we need to put in place?

It depends what type of personal data you’re holding and using, but we’ve written a basic guide covering some practical ways to keep your IT systems safe and secure, to help you get started.

Some security measures are common sense and are likely to be part of your usual procedures, even if you haven’t thought of them as data protection measures before – locking cabinets and ensuring the windows and doors of your workplace are secure, for example. It’s likely you have electronic security measures in place, too, such as strong passwords, firewalls, and anti-virus software. 

Other measures might take a little more thought and planning, such as training your staff on how to spot suspicious emails and making sure you don’t hold on to data for longer than you need it.

Information about people that is particularly sensitive – such as health data - needs extra protection.

Also see:  

What types of data need more protection?

There are some types of personal data that are likely to be more sensitive known as special category data under the UK GDPR.

This includes personal data revealing or concerning:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • health;
  • a person’s sex life; and
  • a person’s sexual orientation.

If you’re processing any of these types of data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary.

 

How do I know if personal data is high risk or sensitive?    

You’re probably already familiar with the types of personal data that are generally considered high risk or sensitive based on how you feel about sharing it when it’s about you or someone in your care.

For example, many of us would be cautious about sharing information about our medical history, political opinions, or sexual orientation. But if asked for our email address, we’d probably be less concerned. It would depend on who is asking and what we think might happen to the data.

Data protection law takes this idea and makes some firm rules about the types of data that need more protection, which are known as the ‘special categories’ of personal data.

Outside of these special categories, knowing whether personal data is high risk or sensitive also partly depends on the risk of that data falling into the wrong hands, which your risk assessment - will help you to work out.

Also see: