In the year since the General Data Protection Regulation (GDPR) came into force, the number of breaches reported to the Information Commissioner’s Office (ICO), the UK data protection regulator, topped 14,000 compared to 3,300 in the previous year. This substantial increase can be attributed to greater awareness by both businesses and individuals about how personal data should be collected and processed. It’s important for businesses of all sizes and in all industries to be aware of what constitutes a breach and so we have put together our 5 top tips for recognising a breach and how to prevent them:
1. What is a breach?
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This is an extremely wide definition and could include emailing an unintended recipient, losing a memory stick, or setting incorrect access controls for HR records. A breach must be reported to the ICO within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of an individual (e.g. financial, reputational, or discriminatory).
2. Staff awareness
No longer solely a board-level issue, data protection is now a topic that everyone in a business should be aware of. Any employee which handles personal data at all, even on a light scale should be given appropriate training to ensure they understand their responsibilities according to their job-role and level of involvement with data on a day-to-day basis. Staff are often the first line of defence and proper awareness of GDPR, confidentiality and how to recognise phishing attempts and impersonation, can be invaluable.
3. Data minimisation
Only collect the personal data from your customers or clients that you actually need. As well as being in breach of the data minimisation principle in the GDPR, excess data increases the chances of it being used inappropriately and leading to a breach.
4. Know your customer and suppliers
It’s really important that personal data is only disclosed to those who have a right to access the data. For your customers, think about what information you may need to take from them before you can be satisfied you are speaking with the correct person. For example by considering how to verify ID over the phone. For your suppliers (e.g. payroll or IT providers), it’s vital that an appropriate contract is in place containing each party’s obligations including those regarding security, data breaches, and data subject rights. Also, the ICO expects a degree of due diligence to be carried out before engaging a supplier, for example by assessing security guarantees, financial robustness, and adherence to industry standards.
5. Security
As well as ensuring staff are adequately informed about their responsibilities, adequate technical and organisational security measures should be implemented to protect personal data both electronically and physically. Measures to consider include firewalls, passwords, backups, encryption, two-factor authentication, physical access controls, and locked filing cabinets.