Are You Doing Enough to Prevent Data Breaches?
Many of the data breaches incidents that cross our desks could have been prevented if certain essential steps had been taken.
This article outlines some of the key actions your authority should be taking to prevent breaches and to lessen the impact of those that do occur.
Train All Staff
We frequently advise on breaches that were caused by human error and that could have been prevented with better training. All staff should receive data protection training that is practical and relevant to their roles. For example, staff should know how to recognise 'phishing' emails and how to share documents securely.
Training should also help foster a culture where staff come forward with suggestions. Their contributions are often valuable because they may spot weaknesses 'on the ground' which are not apparent to senior staff. Most importantly staff must not feel afraid to mention suspected data breaches which will always require prompt action and possibly need to be reported to the ICO within 72 hours.
Develop Clear Guidance and Policies
Training should be backed up with written guidance and policies for all staff. Lengthy and abstract guidance is off-putting and ineffective. Instead provide staff with guidance on what they actually need to know to do their jobs. For instance, on issues such as working away from the office, passwords and the secure use of email.
It's a requirement under the GDPR to be able to demonstrate your data protection compliance and policies for staff are an essential part of this.
Cyber Security
Cyber-attacks are becoming more sophisticated and prevalent. Your authority should have appropriate technical and organisational measures in place to safeguard personal data from these attacks. As a starting point review the National Cyber Security Centre's guidance for the public sector.
As a general rule, the more sensitive the personal data, the stronger the measures required to keep it secure. You should regularly test and evaluate the security measures in place to ensure that they are effective.
Have a Procedure to Follow
It can be difficult to know what to prioritise when a breach first happens. Being able to turn to a written procedure is helpful in ensuring that you've taken all of the necessary steps.
A data breach procedure should be aimed at the key members of staff who will deal with a breach. This will primarily be your DPO but don't forget those with wider expertise around IT, reputation management, legal issues and HR.
Consider How It Looks to the ICO
If a breach is reported to the ICO they will take into account the measures that you have taken to address the breach when considering enforcement action. This means that not only will robust action help to mitigate the consequences of a breach but it may also lessen the severity of any enforcement action.