GDPR ‘Not Only About Digital Data’
The introduction of the GDPR legislation within the EU has seen many businesses focus on their cyber security. Our digital data is constantly growing and it’s only right that the information that businesses and other organisations hold on individuals is properly protected.
While no one is denying that cyber security is important, it’s also essential that organisations don’t forget about data that is still held physically in offices or other settings. This is still covered by the GDPR legislation and a breach due to misplaced or stolen paperwork could be just as costly for a business as a cyber attack.
But there’s evidence to suggest that many companies, particularly small businesses, are struggling to keep up with the GDPR legislation.
News Anyway recently highlighted research carried out by Aon, which found that half of small business owners are still confused about what they can and can’t do in terms of data protection and privacy regulations.
For instance, 40 per cent of those questioned didn’t realise that the loss of physical paperwork would be considered a data breach, and therefore need to be reported to the Information Commissioner’s Office (ICO) if the loss of that paperwork breached individual rights.
What’s more, six in ten didn’t even realise that the ICO needed to be notified if there was a data loss that breached individual rights.
Among the issues identified by the survey are things like businesses keeping visitor books that allow people to see the details of others who’ve been at the company in question, as well as using paper diaries.
Just over one-quarter of businesses revealed that they still have a paper diary, but the news provider noted that this could easily be misplaced and is likely to contain customer details and potentially private information.
One in ten companies, meanwhile, said that they use a visitor book, which could also throw up privacy issues.
Things like circulating paper sponsorship forms around an office might seem innocuous, but could also mean you’re falling foul of GDPR legislation. These forms often contain names and addresses, which means that passing them to your colleagues is in breach of GDPR rules.
It’s not only using these things in the first place that could land your business in trouble. It’s also important to think about how you’ll dispose of them when you no longer need them.
Over half of the firms surveyed admitted that they don’t dispose of customer records securely and confidentially. This rises to 86 per cent when it comes to visitor books and to 71 per cent for staff records.
This just goes to show how important it is to take the time to find confidential shredding services in London to make sure that any paper documentation you do have is disposed of responsibly and in line with the latest legal guidance.
The research also highlighted the ten most common ways in which small businesses are breaking GDPR legislation.
Staff using paper diaries that contain private customer information was in at number two, indicating just how big of an issue this is.
Having a visitor book was number nine, while staff circulating sponsorship forms was number ten.
Speaking to Business Matters magazine about the results of the survey, Dr Emma Philpott, from the UK Cyber Security Forum, said that many small businesses hold the mistaken belief that complying with GDPR involves something really complicated, both in the sense of cyber and physical security.
“There is a lot of misunderstanding of risks, and still a worry among SMEs that it must be complicated. It is not always about high end security. It’s about having the basics in place to protect you from indiscriminate attacks,” she said.
Dr Philpott added that there’s one simple thing that all businesses should be doing. “Educating staff takes time but doesn’t cost anything at all,” she asserted.
Another concern is that, following the introduction of GDPR in May, many firms have let compliance issues slide down their list of priorities. Dr Philpott stressed that becoming GDPR compliant isn’t a process you go through once and then never touch again, it’s a process that needs to be regularly reviewed and updated.
“As soon as the deadline for GDPR passed too many thought that was job done and that’s where their responsibility ended,” she said.
Of course, the large fines that have been handed down to big organisations in the past few months should be a reminder that it’s important to have a continued focus on data protection and privacy, whatever your business.
ICO guidance also points to physical data
Guidance on GDPR from the ICO also highlights the need to consider physical data that’s held for business purposes when making sure your organisation is GDPR compliant.
It explains that the GDPR legislation “concerns the broad concept of information security”. It goes on to advise that businesses have “appropriate security to prevent the personal data you hold being accidentally or deliberately compromised”.
The ICO guidance also states: “You should remember that while information security is sometimes considered as cyber security (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures.”
However, it’s also important to understand that the GDPR does not outline specific measures for protecting data. The only stipulation is that they are appropriate. This will vary depending on your business, its premises, what data you hold and how many staff you have and what access they have, for instance.
From an organisational perspective, it’s essential to develop a culture of security awareness within your business. That means running training with your staff to ensure they all understand the importance of data security, as well as how their actions might result in a breach.
Things to consider with physical security
The ICO does offer a list of things to think about when evaluating your business’s physical security and how this might affect your data protection efforts.
Looking at your basic physical security is a good place to start. That includes the locks and doors at your premises, as well as whether you have CCTV to help protect your premises. Alarms and security lighting would also fall under this category.
What level of control there is over access to your business should be the next thing to focus on. Look at how visitors to your site are supervised, as well as how they gain access in the first place and whether there are any simple changes - such as removing a visitor book - that you can make now to enhance your data security.
Disposing of records that are no longer needed is the next thing to consider. Confidential shredding is a must, and any waste that contains any personal details of customers or staff should be disposed of in this way.
The main reason to opt for document shredding is because it prevents any data held in paper documents from being read by others. If you simply throw documents away in their entirety, there is a chance, however small, that they could be read and subsequently used by others.
Shredding significantly reduces the likelihood of this happening, and if you use a document shredding service you will also have peace of mind that the shredded paper is being completely destroyed responsibly.
When you choose a company to dispose of your sensitive waste for your business, make sure you carry out thorough checks on their processes and background to ensure that they meet the required standards. This will also give you peace of mind that when you turn physical documents over for destruction that they are being disposed of as promised.
Don’t forget about electronic waste either. Old computers, mobile phones or other pieces of technology that may have sensitive data stored in them needs to be disposed of responsibly and give you peace of mind that any data left on them has been properly wiped before it is thrown out.
Finally, the ICO recommends evaluating how you keep any IT equipment secure. It makes particular mention of mobile devices, but this could also apply to tablets, laptops or any other computing equipment that could be accessed.
If you are unsure about your company’s compliance with GDPR the best thing to do is carry out a thorough review of your security protocols. Remember that these include physical as well as cyber security.
You can also make sure you have insurance in place to protect your business in the event of a cyber or data breach. Chris Mallett, a cyber security specialist at Aon, noted that it’s worrying to learn that nearly 45 per cent of SMEs don’t have this kind of insurance in place at present.
It’s not only about preventing breaches in the first place, he explained, but also about how you deal with them if they do occur.
“Cyber insurance means those businesses who unfortunately experience a data breach can at the very least rest assured that they have access to specialist support, ensuring a breach will be dealt with in line with GDPR requirements,” he stated.