Some of the basic question you should ask about data protection
How information is governed at your business?
Do you classify your data, identifying sensitive data?
Responsibilities to protect sensitive data under your control?
Sensitive data or most valuable data encrypted?
Do you have a policy for identifying the retention of information for hard and soft copies?
Do you have procedures covering the management of personal private information?
Do you have procedures for disposing of waste material?
Do your polices for disposing of equipment protect against loss of data (e.g. old computers, printers, hard drives etc) ?
Do your disposal procedures identify appropriate technologies and methods for making hardware and electronic media?
Do you review and revise your security documents, such as: policies, standards, procedures, and guidelines?
Do you audit your processes and procedure for compliance with established polices and standards?
Does management regularly review lists of individual with physical access
to sensitive facilities or electronic access to information systems?
What tools you use to protect it?
How often you test the effectiveness of the controls you have in place?
Do you have implemented 3 line of defense? (1st Business and IT, 2nd Information and Technology Risk Management 3rd Internal Audit)