Carbon DMP | Data Breaches - an Inevitable Occurrence or Avoidable?

Data breaches and malicious cyber-attacks often hit the news headlines, but how can businesses who use data on an everyday basis be sure they’re handling it securely when even major organizations like British Airways have recently come under fire? David Snocken, Head of Data and Strategy for one-to-one marketing company Clicksco, shares his thoughts on why being ethical by design is essential from the outset.

When it comes to data the timeless adage of ‘prevention is better than cure’ could never be truer. My advice to any company that handles data is to think about what they really need it for and whether they deem the use of certain parts of people’s data as both necessary and ethical.

Data usage can mean very different things for a variety of businesses and while it is important to be compliant, in my opinion, having a clear conscience about data use is important too.

But how? For larger companies and those working in the business of data, securing ISO 27001 accreditation is an essential first step. For smaller entities, being guided by the three principles of the information security standard is sufficient.

The three principles are: confidentiality – is the data only accessible to those who are allowed and authorized to use it; integrity – is the data accurate and complete; and, availability – do authorized users have access to the data when they need it?

Drilling down into these three areas, I’ve identified some key considerations for minimizing the risk of breaches and cyber-attacks…

Firstly, having your house in order is vital from day one. This means ensuring data is encrypted, password secure and protected even when in transit. And, ensuring all those employees – no matter what their role is in an organization – understand how, when and why they can access and use data. This may seem obvious, but how many times have we heard of a laptop containing sensitive information being left somewhere it shouldn’t have or an over-zealous office junior accidentally tweeting company secrets?

A recent incident exposed London Heathrow Airport, when top-secret security arrangements were found on a USB stick lying on the pavement of a West London street. Worryingly, no passwords had been set up and when the discoverer plugged the device into a computer, they discovered documents such as maps of CCTV cameras and security patrol routes and timings.

British Airways came under fire after it was revealed that hackers were able to uncover the financial and personal details of customers, with over 380,000 transactions being affected. And recently, Apple made the decision to remove a number of anti-malware apps from Trend Micro from the App store, after it was alleged they were “stealing user data” and sending it to a server in China.

Even the Ministry of Defence has been known to lose data, even admitting to misplacing unsecure secret information in the past. Since January 2017, it is understood the MOD has lost 63 computers – 3 desktops and 60 laptops, as well as 48 USB storage devices. The organization also admitted to having lost more than 650 laptops since as far back as 2004.

As these examples show, having internal policies in place to minimize risk should just be part of the daily routine. Shared files can easily be secured by passwords and access rights granted by data needs and hierarchy within an organization. Training on data is everywhere and for those on a budget, there tend to be free events or webinars to join.

Secondly, don’t just box tick! GDPR has hit and at the end of May we were all inundated with ‘please don’t leave us’ messages. While the frequency of that traffic may have died down, many companies are still trying to navigate the grey areas of GDPR’s broad guidelines and are being very cautious due to concerns that they’ll be hit with a fine. Of course, they are right to be concerned; no-one wants to be fined and 4% of annual turnover can be a significant loss for those with tight profit margins.

Yet, that doesn’t mean panicking and getting ill-informed advice will help either. Taking the time to truly recognize what GDPR actually means in your industry and for your company is much more sensible. Over the next six to 12 months, the many different interpretations of GDPR that companies have taken will be investigated and challenged, especially if the ICO are seen to disagree. There have been recent examples of the ICO already tackling data ‘mis-use’ rather than solely security breaches. Emma’s Diary, a service that offers pregnant women and new parents health advice and gifts, was slapped with a £140,000 fine for sharing more than a million people’s personal data with the Labour Party. The firm disputed the findings.

I think we can all take heed from the pharmaceutical industry. The heavily-legislated sector has for years ensured compliance during clinical trials and is a shining example of how to make it part and parcel of everyday business. Data doesn’t need to be risky if it’s just part of the norm.

Thirdly – consider the risks. The biggest two risks in my eyes are: the way the data is used and the way it is stored and secured.  Being proactive rather then reactive is always the best option, so considering how the data is used could mean anonymizing it at the point of entry. If you don’t require personal elements of the data, then why have it at all? Plus, encourage those managing this process to continually question whether it is ethical to be using data in a certain way while asking “how would I feel if my data was being used in that way?”

Equally, taking a long hard look at your data storage systems either in the cloud or a filing cabinet, should be prioritized. It is up to you to decide carefully how long you should hold certain personal data, so it is recommended to put a retention policy firmly in place with an annual review, ensuring that all timeframes in place remain defensible over the years.

Lastly – make sure data consent is freely given. Some companies are trying to force consent by not providing access to content unless consent is given. This isn’t in the spirit of GDPR and while it’s valuable to have as much as your audience consented as possible, there are heavy risks to your brand if customers feel backed into a corner.

Ask for consent in a sympathetic way and simply explain the benefits of consenting, making sure your customers understand how they can opt out online.


Leave a Reply