Five ways to do it better
No matter what industry you work in, the chances are that you’ll be handling and holding the data of individuals. You may call them customers, clients, patients, service users or members but it’s likely that you will be storing their names, addresses and other personal details.
In many organisations, the volume of this personal information has grown to unmanageable quantities through years of cheap storage, mergers and acquisitions, and a general lack of concern about the consequences.
The dangers of holding so much data have been brought to light by a series of high profile data breaches in the past few years, while the advent of the new European Union General Data Protection Regulation (EU GDPR) has concentrated corporate minds on the need to avoid potentially colossal financial penalties. And if the fear of fines or breaches hasn’t been enough to spur you into action yet, the rise in consumer anxiety following the scandals of Cambridge Analytica and Facebook should have done so.
Below are five steps to doing data protection better.
- Get to know your own data
Can you identify exactly where all of your organisation’s personal data is being held? If not, you need to map out all of your systems to find out. The best way to do this is to track the path of the data from the moment it first enters your organisation, be it physically or digitally. From here, establish where it has ended up and where it has been in the process. The EU GDPR will give your customers the ‘right to be forgotten,’ which means that they can request to be removed entirely from your records. If they place this request, you need to be able to delete all instances of their data, completely and immediately.
- Less is more
One excellent recommendation of the EU GDPR is to hold as little personal data as possible. The more information you have, the more attractive you are to hackers and the more you have to lose. Our own advice is to assume that you will certainly be breached at some point and to minimise the damage when that happens. Ideally, when the hacker breaks in they will find nothing of value. If personal data is stolen, however, you will need to explain yourself to the Information Commissioner’s Office, so make sure you can justify why you are holding each and every record. If you don’t have a good reason to hold it, get rid of it.
- Make life harder for hackers.
If you do need to keep personal data, put as many obstacles as possible in the way of the fraudster.
Use tokenisation or pseudonymisation and separate uniquely identifiable details such as email addresses and telephone numbers from all other data. In this way, complete records are assembled only when a record is actively required for the purposes of a specific transaction or query.
If you need to keep customer data for longer than the active life of the record, for example for analytical purposes, remove the personal data altogether. Strip away anything that can actively link it to an individual – name, address, email address – and replace these with a new unique reference number. You can also use non-unique “filler” data for this purpose, ensuring that there is no way to reverse engineer an individual record using attributes from previous or existing databases. If your data is ever hacked, this means that nobody can be identified.
- Educate your employees
A recent study by HANDD Business Solutions has found that employees are frequently a business’s weakest link when it comes to data protection. While it’s important to trust your staff, regular training in basic security procedures such as changing passwords and looking out for phishing or spear phishing attacks is absolutely essential. Managers must ensure that policies are kept up to date and hold regular tests to make sure that the entire team knows how to put these into action. In the event of a breach or a complaint, the ICO will be asking questions to find out how robust your procedures are so don’t lose control of them for a second.
- It’s not just about you
Making sure the customer data that you hold is secure and encrypted is only the first hurdle. If you are working with partners for some aspects of data processing, then it’s up to you to make sure that their processes and security measures are as robust as yours. The EU GDPR makes this a legal as well as a moral duty by holding you responsible if one of your partners allows a data breach to take place. Always carry out due diligence on data processing partners and set up contractual agreements with them to clarify expectations on all sides.
Now’s the time
Volumes of personal data are growing every day, accelerated by innovations in technology from wearable devices and connected cars to health apps and Alexa. At the same time, individuals are more aware than ever of the risks to their privacy that sharing their personal details can bring. Trust is increasingly hard-earned as consumers become more suspicious. For businesses, there is no alternative but to start taking data protection seriously.
Sourced by Mandy Pattenden, marketing communications director, Semafone.