We've worked with a range of companies that are working really hard to get Data Protection right, but with all businesses that process personal data, it is likely at some point that a data breach may occur. Understanding what to do when a breach occurs is fundamental and by managing, recording and fixing breaches properly you can minimise the impact on you as a business and any impacted parties.
A large proportion of breaches tend to be caused by 'Human Error' so we've taken a look in more detail at some of the examples of breaches that we have seen that can lead to breaches of personal data.
Auto Populated Email Addresses
Where you begin typing someone’s email address into your email and it suggests who you may be trying to contact so that you don’t have to type the whole address every time. A useful function, but it can lead to breaches. If you type “J” in order to email “Jamie” and it suggests “Jason” as you email them more frequently, you can easily send personal data to the wrong person. We’ve seen this one a lot!
Triple check where you are sending your emails, before clicking send, you can even turn the function off if you want to be extra careful!
Lack of Awareness of Rules
It’s all well and good having a Data Protection (DP) team to handle DP matters, but DP should be weaved through your business processes so that anyone handling personal data knows how to treat it appropriately. We’ve seen lots of people sending rafts of personal data without considering password protection, or sending more information than they should, just because the information required is contained in a larger data set.
Get the processes right, but get the culture right too. Make sure staff carry out training and don’t be afraid to challenge inappropriate data use.
Attaching incorrect files
We all know human error can occur and wrong files may be attached to the wrong email, but again a triple check before you send anything could avoid a breach.
If you have applied password protection / encryption then you’ve significantly lowered the risk!
Webchat can cause a challenge for businesses around DP, particularly as sometimes agents dealing with customers are expected to handle multiple conversations / windows at once which can lead to personal data being accidently provided to the incorrect recipient.
Think about how you handle webchat queries. If your agents need to work multiple windows, make sure there are processes in place that don’t for example provide a customer with a username and password in the same message, as this being sent through the wrong window can cause a whole lot of issues.
Paper files left in the office
I’m sure we’ve all seen this in the day to day running of an office, people leaving files with personal data scattered around when they leave their desk or even when they go home. Fit notes left on desks, disciplinary notes printed and left on the printer, the list goes on.
Operate a clear desk policy, make sure that files are locked away at night or destroyed. Think about whether you really need to print that file. This is just as important during Covid times, you have more staff working from home, do they understand your expectations as to how to treat personal data at home as well as in the workplace?
Personal data on the move
It’s becoming more common practice to work from trains, or coffee shops, but do you consider who is around you when you are looking at personal data?
Make sure you consider where you sit if you will be looking at personal data. It may sound over the top, but we’ve seen breaches occur from people reading over others shoulders on a train or even someone sitting in a coffee shop with their back to a window allowing anyone walking past to see what’s on their screen.
Employees clicking on phishing emails
There are various types of phishing emails that could trip up your employees,the most common being where an email is sent to an employee telling them that that their account has been compromised and they need to click a link to fix it. This could lead to deleted / stolen data or malware being installed on your computer which can make changes to your network, like enabling remote access or even spying on your activities.
Staff awareness around spotting these type of emails and knowing what to do if they think they've received one is vital. Do no click on the link if you are unclear where the message came from.
I can't stress the importance enough of making sure that you have clear procedures in place that employees must follow and also ensuring that your employees are aware of your rules. It's impossible to eradicate all human error, people will make mistakes, but you can significantly lower the risk of human error by raising awareness with staff, properly training them and having policies and processes in place to help staff understand your expectations of them when handling personal data.