By Ann Sellar, Secure Destruction Services Manager, Crown Records Management
We all know why we need to manage sensitive data responsibly but, with more than 480 million records leaked last year alone according to IT Governance, are we taking it seriously enough?
We live in a digital age so, when you say ‘data breach’ most people automatically think of online attacks – like those recently reported by Yahoo and TalkTalk. Although this style of attack is a major and growing threat for businesses, we mustn’t underestimate the power of paper.
Every individual and company uses paper to store information in one way or another and simply throwing it in the bin after use should not mean out of sight, out of mind. Paper-based breaches are a common, and sometimes easy way, of accessing private information and should therefore be treated with high importance when it comes to disposing of it. The same rule applies to office devices such as printers, USB sticks and hard drives which, even when wiped, continue to hold data.
Failing to safeguard sensitive information – both paper and digital – is likely to result in a hefty fine under the Data Protection Act. However, in 2018, this will be replaced with the new EU Data Protection Regulation (GDPR) which will have major implications for all sectors on the way data is collected, stored and accessed and, despite Brexit, this will impact UK businesses.
Under the new regulation, the fines for data breaches will be higher – in the millions – and European citizens will have greater control and more rights over the information held about them. For example, people will have a ‘right to be forgotten’ if they want old or inaccurate data about them to be deleted. So, any company holding identifiable information about an EU citizen, no matter where it is based, needs to be aware.
With major changes in data law impending and information breaches an all too regular occurrence, the question is: How can companies manage and securely destroy sensitive data to avoid a breach?
Eight top tips for protecting sensitive data:
> Human error – ensure all staff are educated
It is estimated that 80 per cent of data breaches stem from human error. Therefore, it’s essential that staff know what is expected of them and understand the consequences of failing to protect sensitive data. This responsibility extends to temporary staff just as much as permanent staff.
> Data Protection – review your policies regularly
Data protection policies should be up to date, comply with current legislation and be reviewed in line with business change. A regular programme of training which includes frequent refresher sessions is vital because legislation and rules on handling data can be subject to change. Start preparing now for the EU GDPR.
> Sensitive data – store safely and restrict access
It is important to ensure all paper files and media devices containing sensitive information are stored securely either on site or with a third party. Take regular back-ups of the information stored on your computer and keep it in a secure, separate location. It is also prudent to restrict employees’ access to sensitive data, giving access only to the information they need to do their job whether online or on paper.
> Data disposal – remove risk of confusion
Implementing a ‘shred all’ policy will remove any confusion staff may have over what is classed as confidential material, and eliminate the risk of human error. Data should also be wiped from electronic devices such as computers, laptops and USBs – all of which should be stored in locked containers or rooms while awaiting secure disposal.
> Retail destruction – make sure retail goods do not reach the black market
All types of retail goods such as clothing, shoes or books which have been misprinted or overprinted should be properly destroyed to protect the company’s brand.
> Encryption and password protection – safeguard all electronic devices
Passwords should be changed on a regular basis and staff need to be aware of when to do so. It is best practice to ensure passwords contain a minimum combination of six to eight letters, numbers and special characters, using upper and lower case, in order to reduce the risk of the password being compromised. Encryption adds another level of data privacy and should be placed on all devices including mobile machines, back-up tapes and laptops.
> Reporting breaches and updating policies – assign ownership
Knowing who is responsible for reporting a breach is crucial. The new regulations stress a breach must be reported immediately – leaving it until your company’s CIO is back from holiday is not an option. Therefore, assigning someone, or a small team, to take ownership is essential.
What’s more, with EU GDPR fines for non-compliance due to be set at up to five per cent of global annual turnover, it is vitally important that the same individual or team takes responsibility for staying up to date with new regulations and introducing any change.
> Office equipment – dispose of it properly
Multifunctional devices with hard drives such as copiers, scanners and printers can contain sensitive information such as copies of printed and scanned documents and represent a potential data risk. These must be collected by a reputable company and securely destroyed.
Come 2018, companies will require explicit consent from people to gather their personal data. So, get those processes in place early. Any company that stores personal data should consider what the legitimate grounds for its retention are and how it will communicate this to their customers.