We all know why we need to manage sensitive data responsibly but, with more than 480 million records leaked last year alone according to IT Governance, are we taking it seriously enough?
We live in a digital age so, when you say ‘data breach’ most people automatically think of online attacks – like those recently reported by Yahoo and TalkTalk. Although this style of attack is a major and growing threat for businesses, we mustn’t underestimate the power of paper.
Every individual and company uses paper to store information in one way or another and simply throwing it in the bin after use should not mean out of sight, out of mind. Paper-based breaches are a common, and sometimes easy way, of accessing private information and should therefore be treated with high importance when it comes to disposing of it. The same rule applies to office devices such as printers, USB sticks and hard drives which, even when wiped, continue to hold data.
Failing to safeguard sensitive information – both paper and digital – is likely to result in a hefty fine under the Data Protection Act. However, in 2018, this will be replaced with the new EU Data Protection Regulation (GDPR) which will have major implications for all sectors on the way data is collected, stored and accessed and, despite Brexit, this will impact UK businesses.
Under the new regulation, the fines for data breaches will be higher – in the millions – and European citizens will have greater control and more rights over the information held about them. For example, people will have a ‘right to be forgotten’ if they want old or inaccurate data about them to be deleted. So, any company holding identifiable information about an EU citizen, no matter where it is based, needs to be aware.
With major changes in data law impending and information breaches an all too regular occurrence, the question is: How can companies manage and securely destroy sensitive data to avoid a breach?
Eight top tips for protecting sensitive data:
1. Human error – ensure all staff are educated
It is estimated that 80% of data breaches stem from human error. Therefore, it’s essential that staff know what is expected of them and understand the consequences of failing to protect sensitive data. This responsibility extends to temporary staff just as much as permanent staff.
2. Data protection – review your policies regularly
Data protection policies should be up to date, comply with current legislation and be reviewed in line with business change. A regular programme of training which includes frequent refresher sessions is vital because legislation and rules on handling data can be subject to change. Start preparing now for the EU GDPR.
3. Sensitive data – store safely and restrict access
It is important to ensure all paper files and media devices containing sensitive information are stored securely either on site or with a third party. Take regular back-ups of the information stored on your computer and keep it in a secure, separate location. It is also prudent to restrict employees’ access to sensitive data, giving access only to the information they need to do their job whether online or on paper.
4. Data disposal – remove risk of confusion
Implementing a ‘shred all’ policy will remove any confusion staff may have over what is classed as confidential material, and eliminate the risk of human error. Data should also be wiped from electronic devices such as computers, laptops and USBs – all of which should be stored in locked containers or rooms while awaiting secure disposal.