We all know why we need to manage sensitive data responsibly but, with more than 480 million records leaked last year alone according to IT Governance, are we taking it seriously enough?
We live in a digital age so, when you say ‘data breach’ most people automatically think of online attacks - like those recently reported by Yahoo and TalkTalk. Although this style of attack is a major and growing threat for businesses, we mustn’t underestimate the power of paper.
Every individual and company uses paper to store information in one way or another and simply throwing it in the bin after use should not mean out of sight, out of mind. Paper-based breaches are a common, and sometimes easy way, of accessing private information and should therefore be treated with high importance when it comes to disposing of it. The same rule applies to office devices such as printers, USB sticks and hard drives which, even when wiped, continue to hold data.
Failing to safeguard sensitive information - both paper and digital - is likely to result in a hefty fine under the Data Protection Act. However, in 2018, this will be replaced with the new EU Data Protection Regulation (GDPR) which will have major implications for all sectors on the way data is collected, stored and accessed and, despite Brexit, this will impact UK businesses.
Under the new regulation, the fines for data breaches will be higher – in the millions – and European citizens will have greater control and more rights over the information held about them. For example, people will have a ‘right to be forgotten’ if they want old or inaccurate data about them to be deleted. So, any company holding identifiable information about an EU citizen, no matter where it is based, needs to be aware.
With major changes in data law impending and information breaches an all too regular occurrence, the question is: How can companies manage and securely destroy sensitive data to avoid a breach?
Eight top tips for protecting sensitive data:
- Human error – ensure all staff are educatedIt is estimated that 80% of data breaches stem from human error. Therefore, it’s essential that staff know what is expected of them and understand the consequences of failing to protect sensitive data. This responsibility extends to temporary staff just as much as permanent staff.
- Data Protection – review your policies regularlyData protection policies should be up to date, comply with current legislation and be reviewed in line with business change. A regular programme of training which includes frequent refresher sessions is vital because legislation and rules on handling data can be subject to change. Start preparing now for the EU GDPR.
- Sensitive data – store safely and restrict accessIt is important to ensure all paper files and media devices containing sensitive information are stored securely either on site or with a third party. Take regular back-ups of the information stored on your computer and keep it in a secure, separate location. It is also prudent to restrict employees’ access to sensitive data, giving access only to the information they need to do their job whether online or on paper.
- Data disposal – remove risk of confusionImplementing a ‘shred all’ policy will remove any confusion staff may have over what is classed as confidential material, and eliminate the risk of human error. Data should also be wiped from electronic devices such as computers, laptops and USBs - all of which should be stored in locked containers or rooms while awaiting secure disposal.
- Retail destruction – make sure retail goods do not reach the black marketAll types of retail goods such as clothing, shoes or books which have been misprinted or overprinted should be properly destroyed to protect the company’s brand.
- Encryption and password protection – safeguard all electronic devicesPasswords should be changed on a regular basis and staff need to be aware of when to do so. It is best practice to ensure passwords contain a minimum combination of six to eight letters, numbers and special characters, using upper and lower case, in order to reduce the risk of the password being compromised. Encryption adds another level of data privacy and should be placed on all devices including mobile machines,back-uptapes and laptops.
- Reporting breaches and updating policies – assign ownershipKnowing who is responsible for reporting a breach is crucial. The new regulations stress a breach must be reported immediately - leaving it until your company’s CIO is back from holiday is not an option. Therefore, assigning someone, or a small team, to take ownership is essential.
- Office equipment – dispose of it properlyMultifunctional devices with hard drives such as copiers, scanners and printers can contain sensitive information such as copies of printed and scanned documents and represent a potential data risk. These must be collected by a reputable company and securely destroyed.
By Ann Sellar, secure destruction services manager, Crown Records Management
Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit Series, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at www.gdprsummit.london