Handling sensitive data
Are you responsible for holding sensitive data specific to individuals?
If you hold sensitive data specific to an individual or business then you are considered responsible for it and as a result run the risk of being liable should it be misused. If this happens then you may be in the firing line should a case be raised. It is important that you understand the ways in which you should look to protect against this. Especially as new GDPR regulations will be coming into force in May 2018 and this will mean that businesses practice must change and the way in which they handle data and report breaches alter. Sensitive data can be held in many industries with the finance and medical industry two of the most common to hold this kind of data. You should consider the following actions before the introduction of GDPR to help with minimising your exposure.
Actions to undertake;
Ensure that all data is stored in the securest place possible,
Have a backup of data so as you are able to continue business operations should a breach occur,
Restrict access to a need to know system, I.E. employees only have access to the data they need to complete their work,
Delete users that are no longer necessary,
Encourage password changes every 6 weeks.
Another consideration that a business may look towards in order to help protect themselves is the purchase of cyber insurance. Cyber insurance is an effective way to protect the business financially should a breach occur. Cyber insurance is designed to put businesses back into the position they were in before a breach occurred. Costs such as notification costs and regulatory fines can be covered under a policy. Especially as under GDPR fines can reach up to £20m or 4% of turnover whichever is bigger. Can your business afford to take the risk?