Effective risk management involves identifying and addressing potential threats to an organisation. One often overlooked risk is the mishandling of customers' personal data.
The consequences of failing to properly protect this information can be significant and should not be underestimated. Implementing strong data protection measures and regularly reviewing and updating them is essential to mitigate this risk.
While it may sound like a simple subject in principle, there are a surprisingly large number of consumers and organisations still failing to safeguard their personal data, sending and receiving a significant amount of information, unprotected, on a day-to-day basis.
This paper will break down exactly what an organisation can do to protect their customers and business reputation from the risks of digitally sharing data. But first – back to basics.
In its simplest form, personal data is information relating to a living or natural person that can be used to directly identify an individual, or indirectly identify an individual in combination with other data.
While your name, address and ID numbers are all obvious direct personal identifiers, in today's digital world the footprint goes deeper and includes other online identifiers, such as IP addresses and cookies.
Businesses now need to look beyond the obvious to see if a piece of data is capable of directly identifying an individual or being connected with other data with that intent.
For example, there is a sub-category of personal data called ‘special category data’ – in other words, data which needs more protection because it is sensitive. This includes information such as:
Source: ICO
Personal data is used to help confirm our identity and to verify many activities in our day-to-day lives. The use of this information has increased exponentially throughout the Covid-19 pandemic as online activities and remote transactions have proliferated.
Unfortunately, cybercriminal activities have also increased during this time, and one of their main aims is to gain access to sensitive personal data.
We've found that many businesses are still not fulfilling their duty of care obligations towards their customers, failing to protect personal data, especially when in transit.
Documents and other confidential information are still being emailed ‘in the clear’, leaving them open to cyber-criminal activity and data breaches. This risk is present for businesses contacting consumers, and vice versa.
Leaving personal data unprotected within emails and other digital communication leaves it open to cyber threats such as:
If a company is targeted by a cyber attack or suffers from a data breach, it can have long-standing repercussions. These include:
We’ve covered why we need to secure data, now let’s discuss the who, what and how.
When considering email and data security, it is equally as important that organisations enable customers to securely send information into their business, as well as being able to send their own documents and messages securely out.
Secure communication is a two-way street and only works if both business and customer have access to the tools needed to protect data.
When considering the information that needs protecting, the most challenging type will be data that indirectly identifies an individual in combination with other data.
For example, this could be where two different documents hold data that, on their own, would not be classified as personal but when combined, causes the data to become personal. Alternatively, it could be a single document that has data in different places. However, when combined with other information, it can be used to identify an individual.
This casts the net very wide in terms of what data needs protecting and requires careful management - not just from a compliance perspective but as a way to mitigate cyber risk. Professional and experienced cybercriminals can piece together information from many sources to build a profile of an individual, which can eventually lead to identity fraud.
This is why organisations should enter a mindset where all information should be protected, that any transactional data could include potential identifiers. Documents such as invoices, contracts, valuations and statements all fall under this umbrella.
While GDPR is important, it’s not the only thing you need to keep in mind - there are other important organisations that advise and uphold cybersecurity principles, including:
The Information Commissioner’s Office (ICO) - The ICO clearly states that “Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').”
Financial Conduct Authority (FCA) - Upholds the Senior Managers & Certification Regime (SMCR), driving personal accountability of senior management to ensure a code of conduct for all staff in financial services firms.
National Cyber Security Centre (NSCS) - The NSCS publishes news on the latest vulnerabilities and risks, as well as advice on what should be done by security professionals to protect their organisations and customers.
How organisations deal with (or process) personal data can have an impact on what measures they need to put in place to ensure that data is kept secure, and guarantee they are meeting legal obligations.
Typically, businesses hold more personal data than they need to, so the deletion of stored data is an obvious starting point. This can include the removal of direct identifiers like personal names, email addresses or account numbers, ‘anonymising’ data to eradicate the risk of individuals being readily identified.
When needing to transfer personal data, there are several practical steps you can take to mitigate risk. This is where encryption tools such as Mailock play a vital role in the safeguarding of information communicated to or from your organisation.
When sending or transporting information, The Information Commissioners Office states that all data should either be encrypted or anonymised – both at rest and in transit.
When paired with identity verification, such as multi-factor authentication, this can go a long way towards mitigating potential reputational and financial risk caused by a leak or breach of data.
For those concerned over the security of their customers' data, here’s a simple 6-step guide to help you get started with protecting your email comms: