Effective risk management involves identifying and addressing potential threats to an organisation. One often overlooked risk is the mishandling of customers' personal data.
The consequences of failing to properly protect this information can be significant and should not be underestimated. Implementing strong data protection measures and regularly reviewing and updating them is essential to mitigate this risk.
While it may sound like a simple subject in principle, there are a surprisingly large number of consumers and organisations still failing to safeguard their personal data, sending and receiving a significant amount of information, unprotected, on a day-to-day basis.
This paper will break down exactly what an organisation can do to protect their customers and business reputation from the risks of digitally sharing data. But first – back to basics.
What is personally identifiable data?
In its simplest form, personal data is information relating to a living or natural person that can be used to directly identify an individual, or indirectly identify an individual in combination with other data.
While your name, address and ID numbers are all obvious direct personal identifiers, in today's digital world the footprint goes deeper and includes other online identifiers, such as IP addresses and cookies.
Businesses now need to look beyond the obvious to see if a piece of data is capable of directly identifying an individual or being connected with other data with that intent.
For example, there is a sub-category of personal data called ‘special category data’ – in other words, data which needs more protection because it is sensitive. This includes information such as:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Biometric data
- Sexual preferences
Why should personal data be protected?
Personal data is used to help confirm our identity and to verify many activities in our day-to-day lives. The use of this information has increased exponentially throughout the Covid-19 pandemic as online activities and remote transactions have proliferated.
Unfortunately, cybercriminal activities have also increased during this time, and one of their main aims is to gain access to sensitive personal data.
We've found that many businesses are still not fulfilling their duty of care obligations towards their customers, failing to protect personal data, especially when in transit.
Documents and other confidential information are still being emailed ‘in the clear’, leaving them open to cyber-criminal activity and data breaches. This risk is present for businesses contacting consumers, and vice versa.
What risks should you be aware of when sending personal data unprotected?
Leaving personal data unprotected within emails and other digital communication leaves it open to cyber threats such as:
- Interception – Threat actors who monitor and gain access to emails in order to steal the information contained inside.
- Phishing – Scam emails, often impersonating trusted companies or individuals, that attempt to trick recipients into visiting fraudulent websites and sharing personal data.
- Human error – Unintentional breaching of data, mostly through sending emails to the wrong person, or the wrong attachment to the right person.
How does leaving personal data open to risk affect businesses?
If a company is targeted by a cyber attack or suffers from a data breach, it can have long-standing repercussions. These include:
- Damaged reputation and loss of customers – A survey revealed that 41% of respondents wouldn’t return to a business after a security issue, with the average share price of a company falling by 7.27% after disclosing a data breach.
- Fines – With GDPR and other UK-specific laws now in play, the legal bar has been set high, with the consequences when failing to remain compliant being severe. There's the potential for large fines, with the EU's data protection authorities having the ability to impose fines of up to up to €20 million, or an alternative 4% of overall turnover.
- Company downtime – So far this year, 76% of organisations have experienced company downtime due to data loss, with 36% attributing this to a cyberattack and 42% to human error.
Mitigating risk and protecting personal data
We’ve covered why we need to secure data, now let’s discuss the who, what and how.
Who needs protection from the risks associated with transferring data?
When considering email and data security, it is equally as important that organisations enable customers to securely send information into their business, as well as being able to send their own documents and messages securely out.
Secure communication is a two-way street and only works if both business and customer have access to the tools needed to protect data.
What types of personal data need protecting?
When considering the information that needs protecting, the most challenging type will be data that indirectly identifies an individual in combination with other data.
For example, this could be where two different documents hold data that, on their own, would not be classified as personal but when combined, causes the data to become personal. Alternatively, it could be a single document that has data in different places. However, when combined with other information, it can be used to identify an individual.
This casts the net very wide in terms of what data needs protecting and requires careful management - not just from a compliance perspective but as a way to mitigate cyber risk. Professional and experienced cybercriminals can piece together information from many sources to build a profile of an individual, which can eventually lead to identity fraud.
This is why organisations should enter a mindset where all information should be protected, that any transactional data could include potential identifiers. Documents such as invoices, contracts, valuations and statements all fall under this umbrella.
What governing bodies do I need to be aware of?
While GDPR is important, it’s not the only thing you need to keep in mind - there are other important organisations that advise and uphold cybersecurity principles, including:
The Information Commissioner’s Office (ICO) - The ICO clearly states that “Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').”
Financial Conduct Authority (FCA) - Upholds the Senior Managers & Certification Regime (SMCR), driving personal accountability of senior management to ensure a code of conduct for all staff in financial services firms.
National Cyber Security Centre (NSCS) - The NSCS publishes news on the latest vulnerabilities and risks, as well as advice on what should be done by security professionals to protect their organisations and customers.
How can personal data be protected when sent over email?
How organisations deal with (or process) personal data can have an impact on what measures they need to put in place to ensure that data is kept secure, and guarantee they are meeting legal obligations.
Typically, businesses hold more personal data than they need to, so the deletion of stored data is an obvious starting point. This can include the removal of direct identifiers like personal names, email addresses or account numbers, ‘anonymising’ data to eradicate the risk of individuals being readily identified.
When needing to transfer personal data, there are several practical steps you can take to mitigate risk. This is where encryption tools such as Mailock play a vital role in the safeguarding of information communicated to or from your organisation.
When sending or transporting information, The Information Commissioners Office states that all data should either be encrypted or anonymised – both at rest and in transit.
When paired with identity verification, such as multi-factor authentication, this can go a long way towards mitigating potential reputational and financial risk caused by a leak or breach of data.
For those concerned over the security of their customers' data, here’s a simple 6-step guide to help you get started with protecting your email comms:
- Regularly check and delete data that is no longer needed, anonymising that which you need to keep
- Create and maintain strong passwords, using a combination of letters, numbers, and special characters
- Treat all data as actual or potential personal data to ensure nothing goes unprotected
- Educate staff on cybersecurity best practices to minimise the risk from human error
- Identify risky data sources and keep an eye on special category data – this is the information that causes the most potential damage if it were to be leaked
- Invest in a secure email solution that provides the tools you need to protect your comms, including encryption, authentication, and revoke capabilities
Originally posted on 29 09 22
Last updated on October 20, 2023
Posted by: Sabrina McClune
Sabrina McClune is an expert researcher with an MA in Digital Marketing. She was a finalist in the Women In Tech Awards 2022. Sabrina has worked extensively with B2B technology companies conducting and compiling thorough academically driven research to produce online and offline media. She loves to read fantasy novels and collect special edition books.
Get live updates
Subscribe to our exclusive secure communications content for professionals in regulated sectors.