Preventing personal data breaches

Preventing Personal Data Breaches: more than just cyber-security

A recent news story from BBC news has highlighted the importance of ensuring all organisations have a full-scale data security policy. When many organisations think of data security, they think of cyber-security and preventing malicious attacks. However, ensuring your policy includes provisions for physical security both within and outside the organisation is also essential.

According to BBC News, a handbag containing personal data about multiple patients was stolen from inside a hospital, creating a potential personal data breach. The Bournemouth Daily Echo reports that the bag containing the personal data was left unattended in the trauma ward. Fortunately, it was recovered, and the hospital has concluded that it is unlikely that the personal data left the hospital. However, the incident highlights how staff behaviour is an important source of risk with regard to the protection of personal data.

Questionable practices have been adopted by organisation to allegedly comply to the GDPR

To reduce these risks, organisations should consider adding information on physical security to their data protection policies and procedures documents. Policies could include restrictions on carrying personal information in cars, bags and other property belonging to staff members unless absolutely necessary. It could also include installing sufficient locks or other access barriers to protect data assets. Moreover, additional security measures in the premises or for spaces where personal data is stored may be required, such as locking filing cabinets, locking doors, and locking personal items in desk drawers when not in use. This is particularly important as electronic storage of data assets are often focused on, with comparatively less attention paid to paper documentation. Staff should be trained to ensure they follow appropriate physical and electronic security measures and document management protocols.

Nevertheless, electronic security measures should also be implemented. This could include good practices such as purchasing password protected or encrypted data storage devices and installing anti-virus programmes on the company or personal devices used for work. In short, an effective data security policy should consider:

  • Technical and procedural protections
  • Cyber-security and physical security
  • Electronic security and document management

Combined these measures will reduce an organisation’s risk in implementing effective data security for the personal data of their customers, clients, patients, employees and other data subjects.

Contact our DPO team for more information:

Filippo Marchetti, Data Protection Specialist at Trilateral Research