- 13 February 2023
- Privacy and Data Protection
As we enter the week of Valentine’s Day, it is important to recognise the significance of data security, particularly where we have seen the number of cybersecurity breaches increase over the last few months. For example, it may be that you decide to order your partner a bouquet of roses and by doing this, you insert your and your partner’s names, contact details, bank details and recipient’s address, which all constitute personal data. Following this, it may then be that unfortunately, the company suffers a cyberattack which leads to your data being compromised and perhaps a mix-up in roses being sent to the incorrect recipient. With this example in mind, we explore the steps you can take to protect your personal data and to encourage proactive, rather than reactive, actions.
What would have been the company’s obligations in relation to the personal data?
The UK GDPR confirms that data controllers and data processors are under an obligation to comply with the data protection principles, and this includes ensuring that data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage…’. This means that, with reference to our example, the company would have had a responsibility to prevent the personal data being accidentally or deliberately compromised.
What proactive measures could be put in place?
The UK legislation stipulates that appropriate technical and organisational measures to safeguard the data should be implemented. It is best practice to implement such safeguards prior to the processing as well as at the time of processing itself to ensure that these are effective and in order to understand which safeguards to implement, you should firstly complete a risk assessment. In this example, it may have assisted if there was pseudonymisation or multifactor authentication when entering bank details as well as considering the security of the website, system security and access controls to ensure that the data is held securely.
Various surveys have determined that humans are the weakest links in cybersecurity. This means that you cannot just rely upon the technical or system security measures when protecting personal data. As a proactive measure, it is best practice to implement data protection policies, particularly in relation to dealing with data breaches, ensure that staff are trained on these policies and are familiar with the processes when a data breach occurs to ensure a swift and effective response. In addition to this, having business continuity arrangements that deal with how personal data will be protected and recovering personal data are paramount to a quick response to dealing with an attack. Finally, undertaking periodic checks to ensure that your security measures remain appropriate and up-to-date will reduce the risk of being subject to a cybersecurity attack.
You cannot just rely upon the technical or system security measures when protecting personal data.
All you need is love… for your data protection practices!
By implementing technical and organisational measures, it is hoped that organisations can embed a culture of data protection practices. By consistently educating and reminding staff of the security measures in place, this can greatly reduce the risk of a cybersecurity attack. For example, the practices of ensuring that anti-virus or anti-malware products are kept up-to-date, restricting access to data for only those who require it and enforcing strong passwords and regular password changes, can limit attacks.
Particularly with those adopting hybrid working, it is even more important to maintain physical security in the ‘home office’. This includes not leaving your desk or confidential papers unattended and ensuring that back-up devices are locked away in a separate space when not in use. Please read more about remote working practices here.
Overall, the first step is to manage your security risk by implementing appropriate organisational structures, policies and processes to understand and assess the risks. Next, you should consider the adequate safeguards needing to be implemented, where the ICO recommends making such decisions with consideration of the following:
- The state of the art (of technology);
- The cost of implementation;
- The nature, scope, context and purpose of processing; and
- The severity and likelihood of the risk(s).
Thirdly, you should implement the appropriate safeguards to account for your organisation and then create a framework for data security ensuring that your staff are aware of the processes. Finally, it is important to continually monitor the security of your systems to ensure their effectiveness to prevent against the risks of a cybersecurity attack and have a business continuity/response plan in place to effectively manage cybersecurity attacks.
If you any advice in relation to cybersecurity attacks, please do not hesitate to contact a member of the data protection team.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 27 February 2024
Changing Attitudes to Menopause
We have set out some answers to the frequently asked questions that employers ask when considering how to support a menopausal employee.
- 22 February 2024
Time to take the heat off menopausal women
On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.
- 22 February 2024
Talking Employment Law: What to do if you’re at risk of redundancy
In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.
- 12 February 2024
The World of Work in 2024- What Can HR Expect?
In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.
- 30 January 2024
Large-scale Redundancies – What to expect as an employee
In today’s uncertain economic environment, it is rare to see a week go by without a major employer announcing redundancies, be they as a result of a restructuring, a contracting business or a merger or acquisition.