Written by Ann Sellar. Published on Fresh Business Thinking.
We all know why we need to manage sensitive data responsibly but, with more than 480 million records leaked last year alone according to IT Governance, are we taking it seriously enough?
We live in a digital age so, when you say ‘data breach’ most people automatically think of online attacks – like those recently reported by Yahoo and TalkTalk. Although this style of attack is a major and growing threat for businesses, we mustn’t underestimate the power of paper.
Every individual and company uses paper to store information in one way or another and simply throwing it in the bin after use should not mean out of sight, out of mind. Paper-based breaches are a common, and sometimes easy way, of accessing private information and should therefore be treated with high importance when it comes to disposing of it. The same rule applies to office devices such as printers, USB sticks and hard drives which, even when wiped, continue to hold data.
Failing to safeguard sensitive information – both paper and digital – is likely to result in a hefty fine under the Data Protection Act. However, in 2018, this will be replaced with the new EU Data Protection Regulation (GDPR) which will have major implications for all sectors on the way data is collected, stored and accessed and, despite Brexit, this will impact UK businesses.
Under the new regulation, the fines for data breaches will be higher – in the millions – and European citizens will have greater control and more rights over the information held about them. For example, people will have a ‘right to be forgotten’ if they want old or inaccurate data about them to be deleted. So, any company holding identifiable information about an EU citizen, no matter where it is based, needs to be aware.
With major changes in data law impending and information breaches an all too regular occurrence, the question is: How can companies manage and securely destroy sensitive data to avoid a breach?
Eight top tips for protecting sensitive data:
What’s more, with EU GDPR fines for non-compliance due to be set at up to five per cent of global annual turnover, it is vitally important that the same individual or team takes responsibility for staying up to date with new regulations and introducing any change.
Come 2018, companies will require explicit consent from people to gather their personal data. So, get those processes in place early. Any company that stores personal data should consider what the legitimate grounds for its retention are and how it will communicate this to their customers.
Written by Ann Sellar, secure destruction services manager, Crown Records Management