The Privacy Guy – Promise 6 – Security

You’ve got to keep personal information safe they say. What does that mean? How safe do you have to keep it? And how do I check whether it is safe enough? All good questions. But, you won’t find the answers in the GDPR, or any other data protection legislation. What you need is a little help from real data protection experts like The Privacy Guy.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

March 2020

You need to appreciate that your biggest risk is your people.  One security expert, when asked how he would eliminate the risk of a data breach answered, “Sack all your staff!”.  However, rather than take that unrealistic and rather drastic action, you should first make sure that all your staff are trained.  This is an essential part of any structured privacy compliance programme.  And this is what you need to ensure that your security measures are in line with the GDPR.

Make your people understand, care and do

People in your organisation need to understand what security steps they can take and the consequences of them getting it wrong.  Once they understand, they will care.  And if they care they will do what they need to help.   At The Privacy Compliance Hub, we provide a simple platform to make people understand and care.  Our comprehensive privacy compliance programme is based upon our unique Eight Privacy Promises.  Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.

Privacy Promise 6 – We keep personal information safe

Or, in other words, we promise to keep the personal information we process secure by continuously assessing our security risks and implementing appropriate security measures in line with industry practice.

What The Privacy Guy needs you to understand

The Privacy Guy needs you to understand that most breaches are caused by human error.  He needs you to understand that it is only by having the right culture in place that you can minimise your organisation’s risk of a data breach.  And he needs you to understand that your organisation and the people in it need to be aware of the state of the art when it comes to security and keep up with that state of the art.

There are principles that all your people should be aware of:

  • data minimisation – your organisation should only process the minimum amount of personal information;
  • anonymisation – if personal information is anonymised, it ceases to be personal information, the risk to individuals is removed and privacy rules are unlikely to apply to it; and
  • pseudonymisation – the process of converting personal information by replacing or removing certain information in a data set so that it can no longer be attributed to a specific individual without the use of additional information. The additional information must be kept separately and technical and organisational measures used to ensure it cannot be linked to an identified or identifiable person. This process does not go as far as anonymisation to remove any link between the information and the person it relates to and is still considered personal information so remains subject to, for example, the GDPR. Pseudonymising personal information can reduce the privacy risks to individuals. It is a security measure which, depending on how effective it is, may mean that a data breach does not need to be reported to the regulator.

You should also make sure that whoever is responsible for your security makes sure that the following aspects of security are covered:

  • systems/infrastructure security – for example the use of firewalls and encryption;
  • physical security – for example at data centres, or in your office; and
  • management & organisational security – ensuring the right policies are in place, that they are followed and that your staff are trained in relation to them.

A good place to start is with the National Cyber Security Centre’s Cyber Essentials scheme.

Here, NCTech, the company behind the world’s highest resolution 360 degree HDR camera explain how The Privacy Compliance Hub and its Eight Privacy Promises gave them the privacy compliance structure that they needed.

Read story

Why The Privacy Guy thinks you should care

In our private lives, we care if our credit card details are lost or misused.  We care that our medical records are kept securely and not shared with people we don’t want that information shared with.  We care if our passwords are found on the dark web. All these concerns are understandable.

We should keep these concerns in mind when we are handling personal information at work.  Treat other peoples’ personal information as we would want our own treated.

What The Privacy Guy needs you to do

You need to make sure that all your staff understand that they should only have access to the personal information that they need access to.  Those people should understand that they need to report any data loss and never act alone in relation to a suspected loss or destruction of data.  Your organisation needs a password policy understood by all your staff and carried out by all your staff. And you need to make sure that all your staff read the appropriate policies, understand them, ask when in doubt, comply with those policies and attend all training sessions.

In this short video, Tom Williams, Head of Marketing at Peak Labs, explains how his organisation use The Privacy Compliance Hub.  Peak Labs produce the number one brain training app on the market.

Watch video

A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Security is just one aspect of privacy compliance, albeit an important one. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the GDPR and the CCPA.

More to watch and read