The risks when processing personal data and who is responsible

The controller has to determine who can access data, when and under which conditions (confidentiality of the data), as well as how the data is to be collected and who can process or modify them (integrity of the data). He will also lay down the period for access to the data and the method used to make them available (availability of the data), and finally he has to determine which evidence has to be generated (who accessed which data when).

In the past especially a company's IT specialists were in charge of information security, and a number of technical measures were sufficient to protect the information system.

But so much has changed, and there are so many new possibilities and applications that information security requires a comprehensive approach. Even though management has to take the initiative, any individual who can influence one or other element of the information system has responsibilities nowadays. This is almost every person who works for the company. It is of the utmost importance that everybody actively participates in safeguarding security, every single day.

Management can do so by drawing up a policy and ensuring that the measures it introduces are actually put into practice; members of staff by acting according to those measures, for example by not disclosing unnecessary information or making sure that the door of a room where confidential information is stored is locked properly, or by not giving a personal access code to somebody else, …

For itself and for its staff, management has to elaborate a code of conduct and make its members of staff aware of it. All members of staff have to realize how important it is that they observe security rules. They have to be fully aware of the consequences of not using information with due care and according to the rules. For everyone in the company, it should become second nature to observe security measures. This is the only way for a security policy to be effective.