Technology is changing every day, which is why it is important to be vigilant about your organization’s data security.

Allan Tarleton, senior partner and attorney at Van Winkle, says data breaches are inevitable for many businesses and nonprofits despite their best efforts. One key is to have a clear, written data security policy to minimize the chances of getting hacked and to communicate what to do if its data is compromised.

Tarleton recommends the following steps to protect the sensitive information of your customers and employees.

Step one: Assess your data inventory

The first thing he recommends is to inventory what kind of data you have, including customer, client and employee data. Consider if you have highly sensitive information—such as social security numbers, financial information or medical records—on file.

Step two: Determine how the information is being stored

Now that you know what type of information you have, determine how it is being stored. Does it live in hard copy files, on a web-based network that can be accessed via an employee’s smartphone or in software that is only accessible through a desktop computer at the office?

Step three: Develop or review your written data security policy

Next, you will need a written data security policy. If you don’t have one, now is a good time to talk with your attorney.

Be sure to train your employees on the policy and how to protect the company’s records. Additionally, you should have a system in place to regularly communicate the policy to employees and improve security practices.

Step four: Review how you are protecting sensitive data

Ask yourself these questions:

  • How are you retaining or destroying sensitive employee or client information?
  • Do you have a policy in place and are you following it?
  • Are you doing all you can do to protect your customers, clients and employees?

Step five: Evaluate your physical security

“It’s not just digital information that’s at risk—it’s paper files, computer screens that can be seen through a window, thumb drives, laptops and smartphones,” he says.

Mobile information, in particular, is often accessible to employees at all times. If an employee’s smartphone is stolen, for example, is your company’s private information secure? It’s important to make sure that the vulnerabilities that exist in those mobile devices are protected.

Worth the investment

Investing your time and resources into a data security plan is worth the effort.

“It’s important to have a culture within the business of security and safety,” says Tarleton. “At the end of the day, are you helping your clients and customers? Because it’s their information and their trust that’s really important to any business.”