As individuals we should fear what data breaches can mean to us. The effect of a data breach ranges from damage to reputation through financial impacts to a complete cloning of identity. Please be aware that this way of presenting severity is only one view – there are many others – and many other individuals would include something not listed above as they deem it more important.
In essence, what this is all about is where the information about an individual is lost, or stolen. This is where cyber security crosses over into the world of data protection – big time. To put this practically, there is no sense to use a bank vault if you don’t close it and lock it properly, things will go missing!
The actual list of types of data breach is as follows:
- Access by an unauthorised third party.
- Deliberate or accidental action (or inaction) by a controller or processor.
- Sending personal data to an incorrect recipient.
- Computing devices containing personal data being lost.
- Alteration of personal data without permission.
- Loss of availability of personal data (deletion).
The things you can do something about
Once you have your policies and procedures written the things where you can, and should, be able to reduce the possibility of a data breach are definitely as follows:
- Deliberate or accidental action (or inaction) by a controller or processor.
- Computing devices containing personal data being stolen;
- Alteration of personal data without permission; and
- Loss of availability of personal data (deletion).
Each of your policies should have procedures that identify processes that put data at risk, like downloading to MS Excel. I mean how do you control how much data is downloaded, then sorted, then inappropriate stuff deleted? Policies dictate the why and procedures dictate the how. By this I mean who, according to our procedures, has the authority to download the material, who can that be passed on to (to alter it may be) and what controls does the procedures have to ensure that the right person gets (or has access to) the right data? Under our legislation it can be as bad to delete something before it should be (as the individual no longer has access to it) as it is to lose some data.
Let’s not forget that the poor Data Controller has the responsibility to set up all of the policies and procedures and get them reviewed regularly. Make sure that this person, or people in some cases, have the correct job role, seniority and access to management, to perform their role effectively.
The things you think are beyond your control.
This is the scary list – if you like.
- Access by an unauthorised third party.
- Deliberate action (or inaction) by an employee.
- Computing devices containing personal data being stolen.
- Alteration of personal data without permission.
- Loss of availability of personal data (deletion).
“How can I control any of this stuff?”, you might ask. It is true that your controls cannot stop everything, but good cyber controls will stop a lot of it. Nevertheless, your controls can help stop of it too.
For example:
- Never open links or pictures, or other files, on an email unless you know the person that sent them.
- Always make sure that employees are aware of the boundaries of their role and that they perform well within those boundaries (this could even relate to extending the SSL certificate on your website).
- Make sure that mobile devices issued by your organisation (or paperwork that is allowed to be removed from the office) are treated in an appropriate fashion and not left in public areas, etc.
If you can’t tell by now the biggest asset to compliance with data protection legislation, or at least understanding what’s right for you, is to have the right attitude to peoples’ data. If you always put profit over protection, then at some point there will, most likely, be a consequence. If things do go wrong the Data Controller will be the person to contact the ICO about the data breach, if appropriate.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.
