February 2017 – Prioritising Personal Data Protection

As UK businesses prepare themselves for the changes that Brexit could bring, data protection is coming to the fore with the imminent introduction of the General Data Protection Regulation (GDPR). We’ll be looking at GDPR in more detail in our next newsletter but in the meantime we’re taking a look back at our Weakest Link article as a timely reminder of personal data security best practice.

Data is the lifeblood of any organisation. We have access to an abundance of data and we must ensure it is properly protected. Technologically, we can use a multitude of methods to secure personal data, but any chain is only as strong as its weakest link.

In our hectic information laden world, there is an expectation that we should have access to everything all of the time. We also presume that when organisations hold our personal data, it will be kept securely and organisations indeed have a duty of care and a legal responsibility to ensure that is the case.

But despite the law there are many news reports of personal data being stolen or lost, through unencrypted laptops or USB’s being lost or stolen and confidential papers being sent to the wrong people or address or even being disposed of in public bins.

So, how can can you do to avoid this happening in your organisation? There’s a huge amount of support out there for you, but where do you start?

Handling the Data
Firstly, identify where you store and process personal data within the organisation. Determine whether this is is really necessary and reduce your personal data footprint where possible.

Personal data must then be classified, so you know how to treat it and who needs access to it, and set rules for handling of the data, i.e. how it is stored, distributed, and what you do with it once it is no longer needed.

Once you’ve decided how you will treat the data, you can start to introduce security measures. These could be IT related such as access control (who has access to the data), encryption on storage devices and backups of the data – after all, technology is fallible!

Alternatively measures could relate to physical copies of the data such as secure bins for confidential waste or, if really sensitive, straight to the shredder. When transporting data off-site, replicate the measures you have on-site, e.g. papers in locked containers.

Incident Management
Mistakes can happen so you need to be prepared to deal with them quickly and effectively. You should have a Security Incident Management process in place, starting with a plan of what to do if you lose personal data, including damage limitation. Inform people about what has happened and what you are doing about it. This must include the people whose data has been lost and any organisations you are be duty bound to tell. Review what happened, see if there’s anything you could do better or differently and do it!

The Human Element
We’ve put rules in place to handle personal data and we’ve got a plan of what to do if something goes wrong. The final piece in the jigsaw is people – unfortunately they are the ‘weakest link’! 

Legally companies are required to ensure the reliability of people who have access to personal data. How is this done? Again, it’s back to security measures and getting them embedded into the company culture.

Start with implementing a HR process to screen staff prior to employment and write rules on handling of personal data into employment Terms and Conditions. Committing a security breach part should be included in your HR disciplinary process and establish a formal training, education and awareness programme for cyber security and include this in the company induction. Establish the culture from the top or the organisation and make people feel comfortable with it.

Encourage personal responsibility. Have any of us actually challenged someone walking round their office without a visible ID badge? Have we checked that the person on the phone is really who they say they are? Is that person removing the PC really from the IT department? Admittedly, we may feel uncomfortable challenging people in this way, but a little discomfort must be better than seeing your company name in negative print and being fined by the ICO for losing or disclosing personal data. Not to mention the impact on reputation.

Invest in your people to ensure that security becomes embedded in your company and remember that trust can slowly be gained but can very quickly be lost.