As we enter the week of Valentine’s Day, it is important to recognise the significance of data security, particularly where we have seen the number of cybersecurity breaches increase over the last few months. For example, it may be that you decide to order your partner a bouquet of roses and by doing this, you insert your and your partner’s names, contact details, bank details and recipient’s address, which all constitute personal data. Following this, it may then be that unfortunately, the company suffers a cyberattack which leads to your data being compromised and perhaps a mix-up in roses being sent to the incorrect recipient. With this example in mind, we explore the steps you can take to protect your personal data and to encourage proactive, rather than reactive, actions.
What would have been the company’s obligations in relation to the personal data?
The UK GDPR confirms that data controllers and data processors are under an obligation to comply with the data protection principles, and this includes ensuring that data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage…’. This means that, with reference to our example, the company would have had a responsibility to prevent the personal data being accidentally or deliberately compromised.
What proactive measures could be put in place?
The UK legislation stipulates that appropriate technical and organisational measures to safeguard the data should be implemented. It is best practice to implement such safeguards prior to the processing as well as at the time of processing itself to ensure that these are effective and in order to understand which safeguards to implement, you should firstly complete a risk assessment. In this example, it may have assisted if there was pseudonymisation or multifactor authentication when entering bank details as well as considering the security of the website, system security and access controls to ensure that the data is held securely.
Various surveys have determined that humans are the weakest links in cybersecurity. This means that you cannot just rely upon the technical or system security measures when protecting personal data. As a proactive measure, it is best practice to implement data protection policies, particularly in relation to dealing with data breaches, ensure that staff are trained on these policies and are familiar with the processes when a data breach occurs to ensure a swift and effective response. In addition to this, having business continuity arrangements that deal with how personal data will be protected and recovering personal data are paramount to a quick response to dealing with an attack. Finally, undertaking periodic checks to ensure that your security measures remain appropriate and up-to-date will reduce the risk of being subject to a cybersecurity attack.
All you need is love… for your data protection practices!
By implementing technical and organisational measures, it is hoped that organisations can embed a culture of data protection practices. By consistently educating and reminding staff of the security measures in place, this can greatly reduce the risk of a cybersecurity attack. For example, the practices of ensuring that anti-virus or anti-malware products are kept up-to-date, restricting access to data for only those who require it and enforcing strong passwords and regular password changes, can limit attacks.
Particularly with those adopting hybrid working, it is even more important to maintain physical security in the ‘home office’. This includes not leaving your desk or confidential papers unattended and ensuring that back-up devices are locked away in a separate space when not in use. Please read more about remote working practices here.
Overall, the first step is to manage your security risk by implementing appropriate organisational structures, policies and processes to understand and assess the risks. Next, you should consider the adequate safeguards needing to be implemented, where the ICO recommends making such decisions with consideration of the following:
- The state of the art (of technology);
- The cost of implementation;
- The nature, scope, context and purpose of processing; and
- The severity and likelihood of the risk(s).
Thirdly, you should implement the appropriate safeguards to account for your organisation and then create a framework for data security ensuring that your staff are aware of the processes. Finally, it is important to continually monitor the security of your systems to ensure their effectiveness to prevent against the risks of a cybersecurity attack and have a business continuity/response plan in place to effectively manage cybersecurity attacks.
If you any advice in relation to cybersecurity attacks, please do not hesitate to contact a member of the data protection team.