The Sony hacking scandal highlighted just how vulnerable even the biggest companies can be to data breaches and just how much damage data leaks can do. The disclosure of detailed personal information about staff and their families, and sensitive internal information, resulted in lawsuits, damage to the brand’s image and ongoing concern about whether the company can be trusted with employees and customer’s personal information.
In the UK, businesses are legally obliged to safeguard information belonging to themselves, their customers and their staff under the Data Protection Act. Motivations for data compliance should go beyond just fear of legal problems though, as leaks can cause major personal and business problems.
It puts individuals at risk of identity or financial fraud and distress, or even danger, if potentially sensitive information is disclosed. Businesses face similar risks of financial fraud, along with release of confidential business data and reputation damage. What can SMEs do to ensure that they’re complying with data security best standards?
What information can you keep?
In a nutshell, businesses must only gather and store data about their customers and staff that is necessary and accurate, must safeguard it and must not transfer it outside the EEA unless similar levels of protection exist there.
How does this work in practice? Take as an example a clothes retailer that sells online and through a store. They have collected a list of customer information for marketing purposes, including mailing addresses and email.
Providing that they respect customers who wish to opt out and keep their data securely this is fine. However problems would occur if the business wanted to keep detailed personal information, like credit card details, or if they shared this data without express permission of their customers.
Companies often hold sensitive data about their employees, from medical history, personal issues and financial information to details about work performance. Accidental disclosure of this, even just within the company, can cause distress and embarrassment or even put an employee at risk of bullying.
Apart from keeping personal information secure online and offline, this information should only be shared with those who have a clear need to know. Just simple carelessness like moving away from a computer leaving it unlocked with a sensitive file up instead of locking the work station could cause a data breach.
During the recruitment process, businesses need to be careful that their vetting process isn’t overly intrusive, for example requesting Criminal Records Bureau checks or detailed data from previous employers when there is no clear need.
It’s simply not enough to ensure that data is compliant when it’s gathered. Businesses have a responsibility to review data on an ongoing basis.
All information needs to be kept up to date, including customer records. This can be achieved by cleansing databases and deleting information when you no longer need it. However, deleting information isn’t always the best policy. If a customer requests to be removed from a marketing database, it might be wise to retain enough basic information to ensure they’re not added again.
For existing employees, businesses need to check whether the information they’re holding is reasonable. In-depth medical information needs a justifiable reason to be kept and should be kept away from absence records – not everyone who needs to see that information needs to know the reasons for it.
Reviewing security and training
Businesses need to check data security regularly. That security software purchased five years ago might not be appropriate now while cloud and outsourced data storage in particular needs to be looked at carefully. This also includes checking that former staff members can’t access information.
It’s not just past employees that can pose a security risk – human error causes most data breaches. If staff at all levels aren’t aware of their responsibilities, this can easily open the door for data loss. This can range from a phishing phone call trying to find out information about a customer or employee to destroying records securely.
Under the Data Protection Act, people have the right to request to see all information held about them, although some sensitive data that involves other people may not be revealed. All businesses have an obligation to respond to these requests in 40 days.