Digital Comms: How To Protect Personally Identifiable Data

Effective risk management means recognising and addressing potential threats to an organisation. A commonly overlooked risk is the mishandling of customers' personal data.

The consequences of failing to protect this information properly can be significant and should not be underestimated.

Implementing robust data protection measures and regularly reviewing and updating them is essential to mitigate this risk.

While protecting data may seem straightforward in principle, many consumers and organisations still fail to safeguard their information. A significant amount of data is sent and received unprotected daily.

This article breaks down exactly what an organisation can do to protect their customers and business reputation from the risks of sharing data digitally. But first – let's go back to basics.

What Is Personally Identifiable Data?

In its simplest form, personal data is information relating to a living individual that can be used to directly or indirectly identify that person when combined with other data.

While names, addresses, and ID numbers are obvious direct personal identifiers, today's digital footprint goes deeper and includes online identifiers such as IP addresses and cookies.

Businesses need to consider whether data can directly identify someone or, when combined with other data, could potentially identify an individual.

For example, there is a sub-category of personal data called ‘special category data’ – data that needs more protection because it is sensitive. This includes information such as:

• Racial or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Biometric data
• Health
• Sexual preferences

Why Should Personal Data Be Protected?

Personal data is used to confirm our identity and verify many activities in our daily lives.

With the rise of online activities and remote transactions, especially during the Covid-19 pandemic, the use of personal data has increased exponentially.

Unfortunately, cybercriminal activities have also risen during this period, with a key goal of accessing sensitive personal data.

We've observed that many businesses still do not fulfil their duty of care to protect personal data, especially when it is in transit.

Documents and other confidential information are still often emailed ‘in the clear’, exposing them to cyber-criminal activity and data breaches. This risk exists both when businesses contact consumers and vice versa.

What Risks Should You Be Aware Of When Sending Personal Data Unprotected?

Leaving personal data unprotected in emails and other digital communications exposes it to cyber threats such as:

• Interception – Threat actors who monitor and gain access to emails to steal the information contained inside.
• Phishing – Scam emails impersonating trusted companies or individuals, attempting to trick recipients into visiting fraudulent websites and sharing personal data.
• Human error – Accidental data breaches, usually by sending emails to the wrong person or attaching the wrong file.

How Does Leaving Personal Data Open To Risk Affect Businesses?

If a company is targeted by a cyber attack or suffers a data breach, it can face long-term consequences, including:

• Damaged reputation and loss of customers – Surveys indicate that 41% of respondents wouldn’t return to a business after a security issue. Companies often see an average share price drop of 7.27% after disclosing a data breach.
• Fines – With GDPR and other UK-specific laws, the legal bar is set high. Non-compliance can lead to severe consequences, including potential fines of up to €20 million, or 4% of overall turnover.
• Company downtime – In recent reports, 76% of organisations experienced downtime due to data loss, with 36% attributing this to a cyberattack and 42% to human error.

Mitigating Risk And Protecting Personal Data

We’ve discussed why securing data is crucial; now let’s explore the who, what, and how.

Who Needs Protection From The Risks Associated With Transferring Data?

When considering email and data security, it's vital that organisations enable customers to securely send information into their business, as well as securely send their own documents and messages out.

Secure communication is a two-way street and is effective only if both business and customer have the necessary tools to protect data.

What Types Of Personal Data Need Protecting?

The most challenging data to protect is often that which indirectly identifies an individual when combined with other data.

For instance, two documents might each contain data that is not classified as personal on their own. However, when combined, they could identify an individual.

This broadens the scope of what data needs protection and demands careful management, not just for compliance but also to mitigate cyber risk.

Experienced cybercriminals can piece together information from various sources to build a profile of an individual, leading to potential identity fraud.

Organisations should adopt a mindset that treats all information as requiring protection, recognising that any transactional data could include potential identifiers.

Documents like invoices, contracts, valuations, and statements all fall under this umbrella.

What Governing Bodies Do I Need To Be Aware Of?

Beyond GDPR, other key organisations provide guidance and uphold cybersecurity principles, including:

The Information Commissioner’s Office (ICO) - The ICO clearly states that “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').”

Financial Conduct Authority (FCA) - Upholds the Senior Managers & Certification Regime (SMCR), enforcing personal accountability of senior management to ensure a code of conduct for all staff in financial services firms.

National Cyber Security Centre (NSCS) - Provides updates on the latest vulnerabilities and risks, along with advice for security professionals on how to protect their organisations and customers.

How Can Personal Data Be Protected When Sent Over Email?

How organisations handle personal data can impact the measures needed to ensure that data is kept secure and that legal obligations are met.

Typically, businesses hold more personal data than necessary, making data deletion a crucial first step.

This includes removing direct identifiers like personal names, email addresses, or account numbers, and anonymising data to eliminate the risk of individuals being easily identified.

When transferring personal data, several practical steps can help mitigate risk. Encryption tools such as Mailock are vital in safeguarding information communicated to or from your organisation.

The Information Commissioners Office advises that data should be either encrypted or anonymised during transfer – both at rest and in transit.

When paired with identity verification methods such as multi-factor authentication, these measures can significantly reduce the potential reputational and financial risk from a data leak or breach.

Next Steps

For those concerned about the security of their customers' data, here’s a straightforward 6-step guide to help you protect your email communications:

1. Regularly review and delete data that is no longer needed, and anonymise data that must be retained.
2. Create and maintain strong passwords using a combination of letters, numbers, and special characters.
3. Treat all data as potential personal data to ensure comprehensive protection.
4. Educate staff on cybersecurity best practices to minimise the risk from human error.
5. Identify risky data sources and pay attention to special category data, which poses the greatest threat if leaked.
6. Invest in a secure email solution that includes encryption, authentication, and revoke capabilities.

References:

Loss Of Customers, Substantial Costs, And A Damaged Reputation: Find Out Why Privacy Compliance Should Be Top Of Your Priority List, Privacy Compliance Hub, 2024

This Is How A Data Breach At Your Company Can Hit Share Prices, ZDNet, 2024

DPA and GDPR Penalties, IT Governance, 2024

76% Of Organisations Suffered Downtime And Data Loss In 2021: System Crashes, Human Error, And Cyberattacks To Blame, GlobeNewswire, 2024

Special Category Data, ICO, 2024

Reviewed By:

Sabrina McClune, 18.06.24

Sam Kendall, 18.06.24