Data breach could cost your company dearly

On Thursday 8th August 2023 two major data breach stories made the headlines in the UK. A cyberattack on the Electoral Commission had stolen the details of 40 million voters. In Northern Ireland the PSNI inadvertently published the details of all of their officers online in response to a Freedom Of Information request. Both are major breaches but occurred in very different ways as the former was a campaign by “hostile actors” and the later was “human error”.

Both of these events are reminders to every company or organization in that they have a serious obligation under GDPR regulations to responsibly manage and secure customer data. Depending on the level of a breach several things might occur :-

  • The data could be published on Social Networks
  • The data could be put for sale on the Dark Web
  • The data could be used by scammers for fraud
  • The data could be used by competitors
  • The Data Commissioner will have to be informed
  • A fine may be issued as a result

In any scenario the likelihood is for reputational damage to your company and will undermine confidence in your company.

What are the responsibilities for companies collecting customer data?

  1. Transparency and Consent:
  • Clearly inform customers about what data will be collected and why.
  • Obtain explicit and informed consent before collecting any personal data.
  • Provide options for customers to control their data, including opting out of data collection.

2. Data Minimization:

  • Collect only the data that is necessary for the stated purpose.
  • Avoid collecting excessive or irrelevant data.

3. Purpose Limitation:

  • Use customer data only for the purposes for which it was collected.
  • Avoid using data for purposes that the customer did not consent to.

4. Data Security:

  • Implement robust security measures to protect customer data from breaches and unauthorized access.
  • Use encryption, access controls, and regular security assessments.

5. Data Accuracy:

  • Ensure that customer data is accurate and up-to-date.
  • Provide mechanisms for customers to update their information.

6. Data Retention:

  • Define clear retention periods for customer data.
  • Delete or anonymize data that is no longer needed for the stated purposes.

7. User Rights:

  • Respect customer rights, such as the right to access, rectify, and delete their data.
  • Provide mechanisms for customers to exercise these rights.

8. Data Sharing and Third Parties:

  • Inform customers if their data will be shared with third parties and for what purposes.
  • Obtain explicit consent before sharing data with third parties.

9. Cross-Border Data Transfer:

  • Comply with regulations related to cross-border data transfers, ensuring that data is adequately protected when transferred to countries with different data protection standards.

10. Incident Response:

  • Have a plan in place to respond to data breaches and other security incidents.
  • Notify affected customers and relevant authorities if a breach occurs.

11. Privacy by Design:

  • Incorporate privacy considerations into the design of products, services, and systems from the outset.

12. Employee Training:

  • Train employees on data protection principles and best practices.
  • Limit access to customer data to authorized personnel only.

13. Accountability:

  • Designate a Data Protection Officer (DPO) if required by regulations.
  • Maintain documentation of data processing activities and compliance efforts.

So what can a small company or organization do?

For smaller entities with fewer resources it can be more difficult to allocate time and resources to cybersecurity – but these simple principles may help :-

  • Secure Your Devices – Install paid antivirus software and update software
  • Secure Access – Change passwords regularly and delete old accounts
  • Segment Data – Restrict access to customer data to those who need it
  • Purge Data – Delete old customer contacts, orders, addresses if not needed
  • Educate Staff – Train and test your staff on cybersecurity regularly
  • Breach Planning – Have a plan in place for when a breach occurs to enact
  • Review Regularly – Check all your systems and procedures annually