You need to appreciate that your biggest risk is your people. One security expert, when asked how he would eliminate the risk of a data breach answered, “Sack all your staff!”. However, rather than take that unrealistic and rather drastic action, you should first make sure that all your staff are trained. This is an essential part of any structured privacy compliance programme. And this is what you need to ensure that your security measures are in line with the GDPR.
Make your people understand, care and do
People in your organisation need to understand what security steps they can take and the consequences of them getting it wrong. Once they understand, they will care. And if they care they will do what they need to help. At The Privacy Compliance Hub, we provide a simple platform to make people understand and care. Our comprehensive privacy compliance programme is based upon our unique Eight Privacy Promises. Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.
Privacy Promise 6 – We keep personal information safe
Or, in other words, we promise to keep the personal information we process secure by continuously assessing our security risks and implementing appropriate security measures in line with industry practice.
What The Privacy Guy needs you to understand
The Privacy Guy needs you to understand that most breaches are caused by human error. He needs you to understand that it is only by having the right culture in place that you can minimise your organisation’s risk of a data breach. And he needs you to understand that your organisation and the people in it need to be aware of the state of the art when it comes to security and keep up with that state of the art.
There are principles that all your people should be aware of:
- data minimisation – your organisation should only process the minimum amount of personal information;
- anonymisation – if personal information is anonymised, it ceases to be personal information, the risk to individuals is removed and privacy rules are unlikely to apply to it; and
- pseudonymisation – the process of converting personal information by replacing or removing certain information in a data set so that it can no longer be attributed to a specific individual without the use of additional information. The additional information must be kept separately and technical and organisational measures used to ensure it cannot be linked to an identified or identifiable person. This process does not go as far as anonymisation to remove any link between the information and the person it relates to and is still considered personal information so remains subject to, for example, the GDPR. Pseudonymising personal information can reduce the privacy risks to individuals. It is a security measure which, depending on how effective it is, may mean that a data breach does not need to be reported to the regulator.
You should also make sure that whoever is responsible for your security makes sure that the following aspects of security are covered:
- systems/infrastructure security – for example the use of firewalls and encryption;
- physical security – for example at data centres, or in your office; and
- management & organisational security – ensuring the right policies are in place, that they are followed and that your staff are trained in relation to them.
A good place to start is with the National Cyber Security Centre’s Cyber Essentials scheme.