The Courier & Advertiser (Fife Edition)
Staff are now the front line of defence in the business of data security
Dramatic increase in reports to the ICO
In the year since the General Data Protection Regulation (GDPR) came into force, the number of breaches reported to the Information Commissioner’s Office (ICO), the UK data protection regulator, topped 14,000, compared to 3,300 in the previous year.
It’s important for businesses of all sizes and in all industries to be aware of what constitutes a breach.
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This is an extremely wide definition and could include emailing an unintended recipient, losing a memory stick or setting incorrect access controls for HR records.
A breach must be reported to the ICO within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of an individual.
No longer solely a board-level issue, data protection is now a topic that everyone in a business should be aware of.
Any employee who handles personal data at all should be given appropriate training to ensure they understand their responsibilities according to their job role.
Staff are often the first line of defence and proper awareness of GDPR, confidentiality and how to recognise phishing attempts and impersonation can be invaluable.
We recommend only collecting the personal data from your customers or clients you actually need. As well as being in breach of the data minimisation principle in the GDPR, excess data increases the chances of it being used inappropriately and leading to a breach.
It’s really important that personal data are only disclosed to those who have a right to access the data.
For your customers, think about what information you may need to take from them before you can be satisfied you are speaking with the correct person; for example, by considering how to verify ID over the phone.
For your suppliers, it’s vital that an appropriate contract is in place containing each party’s obligations including those regarding security, data breaches, and data subject rights.
The ICO expects a degree of due diligence to be carried out before engaging a supplier; for example, assessing security guarantees and financial robustness.
As well as ensuring staff are adequately informed about their responsibilities, adequate technical and organisational security measures should be implemented to protect personal data both electronically and physically.
Measures to consider include firewalls, passwords, backups, encryption, two-factor authentication and locked filing cabinets.