Preventing A Data Breach
Key Contact: Declan Goodwin
Author: Rachel McCulloch
Businesses can hold a lot of personal data and regardless of whether this data relates to its employees, customers, or someone else, it is essential businesses protects the security of their data.
A personal data breach can be disastrous for a business; the UK GDPR sets a maximum fine of £17.5 million, or 4% of the annual global turnover, whichever is greater. This is in addition to impacting the business’ reputation, customer loyalty, and potential litigation from those affected.
Below we outline some key ways you can minimise the risk of a personal data breach.
Security
Personal data should always be stored securely to ensure people without authorisation cannot access it. Some security measures you should be taking include:
- Keeping personal data encrypted, anonymised or pseudonymised. You can also limit access to only those who need access. Fewer people who have access to the personal data means the risk of accidentally exposing the data is reduced.
- Use appropriate security software such as firewalls and VPNs and make sure to regularly check for updates and patching as networks are vulnerable when updates are ignored.
- Carry out vulnerability assessments to check for any security weaknesses in your systems and take immediate action to fix any problems.
Staff training
Human error is the leading cause of personal data breaches. Therefore, it is clearly essential that your staff, at all levels, are provided with data protection training. Some training to consider includes:
- Education on the most common threats so that staff recognise them (for example, phishing or other suspicious emails, social engineering and ransomware).
- Company best practices such as having a clear desk policy, locking away laptops and hard drives, creating strong passwords and never sharing passwords.
- Staff should receive data protection training as part of their onboarding process, but it is essential they also receive refresher training on a regular basis that is specific to their role.
Assessments and policies
Businesses that process personal data should have in place certain assessments and policies which will govern the processing and how to minimise the risk of a personal data breach. Some key considerations are:
- It is good practice to complete data protection impact assessments (DPIA) when processing personal data which will help you identify and minimise data protection risks.
- Make sure you have data protection policies in place, such as those outlining your retention policy and data subject rights. Regularly audit these policies and keep them up to date.
- In case a breach does occur, you will want to be prepared. You should have a response plan in place setting out your procedures for investigating and evaluating the breach.
We can assist you with each of these steps, including by providing training to you and your staff and helping you draft and implement data protection policies. You can also use our free data assist audit tool following which, you will receive a personalised report outlining any issues you should address. You can find this tool here.
For further information or advice, please get in touch with our Commercial and Technology Team.