The top line message is simple: if you store data digitally you need to protect it. There are two good motivating forces for this: the law, and the criminals.
From a legal perspective, the range of business data collected and stored that demands protection is broad, including customer details, employee records and financial transactions.
In the UK, the Data Protection Act is the key piece of legislation that applies. As of May 2018, the EU's General Data Protection Regulation (GDPR) will also affect all UK organisations holding personal data. Brexit offers no escape because the government has already decided to mirror GDPR post-exit, reflecting the volume and importance of cross-border UK/EU trade.
The aim of the data game
The main driver for legal enforcement of data controls is the constant threat of misuse, typically for fraud and identity theft using Personally Identifiable Information (PII): data that identifies an individual. The scale of the menace posed by criminals to businesses and individuals, and their ingenuity in accessing and acquiring data, needs no introduction.
This is why the range of business-held data that is protected by law is extensive, including:
- Dates of birth
- Physical addresses
- Telephone numbers
- Bank and credit card details
- Transactional data
- Photographic and CCTV images
For a business, whether it is current and former employees, their partners and next of kin, actual and prospective customers, suppliers or business partners, the subject of your data has increasingly strong rights.
Data Protection Act principles
In seeking to offer protection, the Data Protection Act applies to local and national government, charities, schools, banks, hospitals, supermarkets and all other commercial and non-commercial organisations. The fundamental aim of the Act is to ensure data held by these bodies is accurate, safe, secure and within the law.
To achieve this, it requires data holders to adhere to a number of principles. These include:
- All data should be processed fairly and lawfully - so you need to be clear, open and transparent about how and why you are collecting someone's data.
- If data collected for a specific purpose is no longer needed it should be archived or securely deleted.
- The nature of the security used to protect data should match the level of sensitivity of that data.
Preparing for GDPR
In addition to the UK's Data Protection Act, GDPR will soon demand that organisations identify and define the data they hold on customers and employees. This is driven by the fact that the regulation gives the subjects of data the power to review, amend and delete it upon request. This applies to commonplace data points such as a name and address but also the less obvious such as an IP address.
Technology consultancy Gartner is predicting that by the end of 2018, more than half of affected firms won't be ready for GDPR. Non-compliance could mean fines of up to EUR 20m or 4 per cent of global turnover.
Although GDRP is aimed specifically at organisations with more than 250 employees, if you regularly deal with personal data - then you should abide by the new regulations.
Your preparations for the implementation of GDPR you should include:
- Ensuring that all personal data you hold is stored responsibly and securely.
- Considering a central vault for personal data with effective security protocols.
- Ensuring that all your data security arrangements are regularly reviewed and updated.
- Preparing a security framework and an emergency preparedness plan which outlines clearly how personal data is to be handled and secured, and what employees should do if there is a breach.
- Considering hiring a dedicated Data Protection Officer (DPO) to handle all of the above - although this is more likely to apply to larger businesses.
Beyond the law
The law is not the only interested party when it comes to data storage. Cybercriminals have a constantly evolving set of tools - both on and offline - that they use to gain access to financial and personal records held by organisations.
Data breaches can have an effect beyond any immediate financial loss. Loss of reputation has an almost incalculable financial impact, especially for firms trading mainly online. The threat of litigation from affected customers can stack up, especially if a class action is brought. These have been allowable in the UK since 2015.
Of course, the possibility of prosecution for compliance infringements hangs over any breach too. Violations can attract fines of up to GBP 500,000 or possible imprisonment, but you can use GDPR as an opportunity to improve the way you handle personal information, clarifying and sorting it to allow its better use.
What to do if...
If you suspect you have been the victim of a data breach, the first step is to report it to the relevant authorities. This will help their experts build a picture of ongoing events and trends and it will give you access to the best advice.
For further information on data protection and cybercrime risks, visit our cybercrime hub: