So, what actually is a data breach, and how can you stop them?
The fun part about this is that data breaches can come in all shapes and sizes and from every direction imaginable! It’s not just those nasty hackers who are after your data, you or your staff may inadvertently (or purposefully) cause a breach. Keeping a handle on all of these potential weak spots is going to require a lot of organisation, training and records management.
Amongst the more wide-reaching breaches of data privacy reported by the ICO this year, there are several seemingly small data breaches listed. These are cases where relatively little data was accessed and/or taken and yet they will potentially have caused great personal distress to affected individuals and also a potential loss of business for the organisations involved. These are cases where, amongst other things, medical staff have accessed medical records belonging to others for no genuine medical purpose, cases where a member of staff has left a company and taken customer details with them and cases where Police forces have lost unencrypted DVD evidence and testimonies.
So, imagine you’ve got the greatest cybersecurity protection available. You sleep soundly and night because you know the bad guys can’t get to your data. But have you considered those pesky ‘human factors’? AI aside, computers are still only as smart as the people operating them and if you don’t make information security a priority for all of your staff they could cause you just as many problems and cost you just as much money as hackers can. The importance of training and awareness raising cannot be overstressed! It is incredibly easy to go through a working day just ‘going through the motions’ with no credible thought as to the potential risks associated with what we’re doing.
And it’s not just a question of making sure no one has ‘Password2018’ as their password anymore, your staff need to be conscious of how even their most mundane of daily tasks may be a potential data breach point; because any point at which your data is handled by a person is a point of potential weakness. Getting your CIA (Confidentiality, Integrity and Availability) right is essential, more than that, it’s now your legal duty. But making sure your staff, all of your staff, realise that GDPR and information security is their collective responsibility and not just a problem for your IT team to deal with is also essential.
Your DPO can help you with staff training as well as the legal/administrative side of the GDPR, have a talk with them about how best to engage your staff and to encourage personal responsibility for data safety.