This article has been written to help companies, particularly SMEs, understand the significance and importance of strong data security and excellent staff training, specifically in relation to data protection compliance within their own businesses when dealing with personal and sensitive data.
Apart from the obvious necessity to keep your premises physically secure, and shred any confidential paperwork, there are four main areas covered by this article:
- Computer Security
- Staff Training
Protecting your computers and computer networks includes a number of steps, which can be relatively simple and straightforward to implement. As is often the way, anything is simple if you know what to do and how to do it. For example, simple security steps include:
- Protection Installing firewalls and virus-checking tools
- Updates Keeping the operating system updated automatically ongoing
- Security updates Staying aware of the latest security patches and updates, and downloading when available
- Anti-spyware Consider installing anti-spyware tools (to prevent hostile individuals from monitoring your computer activity, and from making malicious attacks against you.
- Back-ups are an essential part of computer hygiene – regular backups should be taken and kept separately so that if your computers are lost, you still have the information available.
- Disposal When you get rid of a computer, it is vital to ensure that all personal information before you move it on. I always remove the hard drive, and smash it into small pieces – which is probably overkill, but it works for me! There are other “technical” solutions, but I prefer to destroy the hard drive and know that it’s gone for ever.
- Spam filters Ensure that you either have spam filters on your computers or that you use an email provider that offers this service.
If sensitive personal information is stolen or lost, it is highly likely to cause damage or distress. To minimise the risk of disclosure, any such personal information really should be encrypted. The truth is that login usernames and passwords offer only minimal protection – absolutely not enough to protect against illegal – or simply unauthorised – access. It is also worth remembering that enormous volumes of data can now be stored on tiny devices from memory sticks to smartphones.
Encryption can be a tricky area, so if you are uncertain of how encryption works, or the strengths and weaknesses of various types of encryption, Tony Schiffman can provide useful advice on how to keep your information secure. Just drop him a line at firstname.lastname@example.org
Writing, sending and receiving emails is now taken for granted as just a part of everyday life. This may be why there are so many varied opportunities for error and carelessness. Some of the most common issues are summarised below:
- if the contents of an email are sensitive, the email should be encrypted or password protected.
- when you start to type in the name of the recipient, your software may automatically suggest similar addresses which you have used before. For example, I have a few Johns in my address book whom I email regularly. Each time, the auto-complete function offers me several Johns and I have to force myself to remember to check that I have picked up the right address before clicking “send”.
- Group email addresses are a useful tool, but it is always worth double-checking who is included within the group and be certain that you eliminate anybody who should not receive your message.
- If you want to copy someone on an email, but don’t want to share their email address, use the bcc function rather than the cc. When you use cc, all recipients will be able to see he email addresses of all other recipients to whom the email was sent.
Interesting (if irrelevant) note –we still use the term cc, which stands for carbon copy – going back to the days of typewriters when a sheet of coated carbon paper was placed between two or more sheets of paper. The pressure of the typewriter keys on the carbon papers would cause the ink to be transferred to the additional sheet(s) of paper, thus providing carbon copies. Bcc, of course, stands for blind carbon copy.
- When sending a sensitive email from a secure server to a recipient whose server is insecure, the security of that email will be jeopardised. Always check the security of your recipient’s server / provider before sending your message.
- Use spam filters on your computers, or use an email provider that offers spam filtering services.
Training your staff to keep data secure is also vital. Staff can be held responsible for data compliance breaches and may sue their company if they have not been given essential training.
Did you know that your staff can be prosecuted if they deliberately give out personal details without permission? So it’s essential that their access to personal or sensitive data is limited purely to what they need to do their job, and they are trained to understand what they can and cannot do. For example:
- Discretion Your staff may receive enquiries from people who are trying to obtain personal details dishonestly – teach them how to handle such enquiries so that they cannot be tricked into providing inappropriate information.
- Passwords Ensure your staff use strong passwords. The longer the better, and greater strength can be gained by combining letters, numbers, punctuation and other special characters, while using both upper and lower case letters.
- Confidentiality It is, of course, essential that members of staff do not share their passwords or knowledge of sensitive or personal data with colleagues or friends.
- Professionalism Staff members should be trained to be professional in their communications, and avoid any offensive communications, emails, or inappropriate dissemination of the details of other people or their private lives. They must be trained to understand that their inappropriate behaviour can bring your business into disrepute.
- Spam They should not open spam – not even to unsubscribe or ‘request no further mailings’. If you do not have spam filters on your computers, when they receive spam, your staff members should be instructed that, when they receive spam, the email should be deleted.
- Financial information They should be taught not to believe emails that appear to come from a bank or building society that asks for account or credit card details or password information
If you would like to discuss staff training with Data Compliant, please contact email@example.com
Data security falls into a number of areas. Based on the ICO’s stated data breaches from April to July 2013, it is clear that security and staff training are critical elements in protecting the personal data you hold. The types of breach noted during that period are illustrated in the diagram below. It is notable just how significant security and staff training are in the prevention of protecting personal and sensitive data.
In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B. With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals. We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.
If you’d like to chat about your data compliance, security or governance needs, please contact Victoria or Michelle on 01787 277742 or by email – firstname.lastname@example.org or email@example.com