Situation

Appropriate Steps

protection and security awareness training

• carry out regular risk assessments in order to

appraise the level of risk in a systematic way,

and develop appropriate controls

commensurate with the risk and the type of

personal data held

• develop compliance monitoring strategy and

procedures

Situation

Appropriate Steps

IT policy and

controls

• develop managerial policies, guidelines and

procedures to protect personal data stored

electronically to ensure confidentiality and

integrity of the data and accountability of

those who handle it, including (where

applicable):

– information inventory and classification

– physical and logical access control

standards to personal data, applications,

systems and network

– data retention and erasure policies

– acceptable use policy for IT facilities

– engagement of contractors guidelines

– data breach incident handling and

notification procedures

– encryption requirements, standards and

password protection

– mobile device management (including

bring-your-own-device) strategy

– use of social media by employees guidelines