The Information Commissioners Office (ICO) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.”
Organisations may need to report a personal data breach to the ICO without undue delay. If unsure on whether a breach needs to be reported, consult your Data Breach Policy, or speak to your Data Protection Officer (DPO). Most breaches will need to be reported within 72 hours of their discovery.
The most common causes of data breaches are also those which can be commonly avoided in the first place and contained. Here we focus on the breaches that may occur under the sixth UK GDPR data processing principle of ‘confidentiality, integrity and security’.
Here are some simple actions that can reduce the risk of a data breach in your organisation:
Poor passwords
Many people still rely on predictable options like ‘PASSWORD’ or their pet’s name, which can be guessed or researched easily. Even passwords that systems classify as ‘good’ are susceptible to hacking with the help of computer programmes that run rapidly through millions of permutations.
Using the same credentials across multiple accounts and writing your passwords in an online or physical document will leave your personal data exposed to a very high level of risk.
Use a password manager tool, there are many on the UK market, to generate a password of at least 12 mixed characters. Ensure two factor authentication is also activated on all software, including social media accounts.
Hardware access
Personal data breaches are often seen as mainly related to high level corporate ‘Cyber Crime’, however, with working from home now the norm in many businesses the theft of paperwork, laptops, phones, and storage devices is now a common way of illicitly acquiring personal data.
Also, when working in coffee shops or co-working spaces never leave the screen unlocked and ensure no personal data is left unattended on the table, or in an easily accessible bag.
Is there also a robust UK GDPR policy in your organisation that covers working remotely and what procedures must be followed to ensure business continuity, minimise risk and always ensure maximum security of personal data?
Employee actions
These fall into two categories.
Malicious intent where a member of staff proactively steals data from the business. Removing, or severely limiting the access to the personal data of past employees, slows one major source of data breaches. In addition, as does being aware of those team members who may be dissatisfied with their role in the organisation, promoting regular employee contact as a good security tool.
However, employees do not have to act maliciously to cause a data breach. They may simply make a mistake, copy the wrong person into an email, attach the wrong document, or lose their mobile phone.
These breaches are simply unpredictable and that is why the reporting structure with the ICO needs to be in place, backed up by a robust Data Breach Policy.
Malware
Malware, which are malicious software programmes that can be hidden in the most innocuous places, provide a very tangible risk to organisations. Malware can be hidden in everyday emails, documents, and images. The rewards from placing Malware can be a little hit and miss for the hackers, which is why so much of it is identified at source by robust anti-virus and malware protection, which needs to be installed on your hardware.
Examples of Malware include ‘key loggers’ that can record every stoke of a key on your keyboard to sophisticated RAM scrapers that interrogate a devices memory and access the relevant files the hacker wishes to access.
The best practices for minimising risk are having an online security policy, annual online security audit, and engaging with a certified cyber security specialist. These are some common appropriate safeguards for your organisation.
A lot of the above may seem like common sense, however if the above steps are followed, coupled with annual data protection and online security training, allowing accountability to be demonstrated then the risks of a common data breach will be significantly reduced.
CSRB has a simple mission. To be clear and open about personal data protection. What you need, why you need it and what you are legally required to do.
We will help you manage and protect that data responsibly. We are also refreshingly jargon-free.
Get in touch with us here or call 0117 325 0830 to learn more about how we can bring clarity to your information governance framework.