Enterprises, educational institutions and local government offices are all responsible for the security of the data they store and share. In the UK, specific legislation like the General Data Protection Regulation (GDPR) is enforced by regulators at the Information Commissioner’s Office (ICO), and companies who are found to have failed in their obligation to safeguard data can face heavy penalties.
Fortunately, detailed information regarding data security responsibilities is widely available, along with specialist solutions designed to protect information. In this blog, we’ll look at some of the most common questions companies have regarding data security, accompanied by straightforward answers to alleviate concerns.
1. What kind of data needs greater protection?
Under the GDPR, there are some kinds of personal data that are deemed especially sensitive and are classified as “special category”. This information concerns or reveals ethnic or racial origin, religious and political beliefs, genetic and biometric data, and health data, among other areas. Data handlers processing this kind of information should give serious consideration to how and why this data is used and ensure that it is only used when necessary.
Companies must also safeguard business critical data that can be exploited. For example, financial details that if disclosed, could result in theft and loss or private deals and agreements.
2. Can you share data with another organisation?
If your firm has a valid reason, it can share data with another enterprise or entity. However, to comply with the GDPR, companies must have a lawful basis for data sharing and keep a record of it. If the data belongs to a data subject, they must have given their consent for their information to be shared with a third-party. Additionally, when the information is shared it must be adequately secured, ensuring that no unauthorised entity can interact with it.
3. What is the best way to secure data?
Cybersecurity experts agree that the most effective way of keeping data secure is to use encryption software. Once applied data encryption will scramble the contents of a message or file ensuring that no one can read it without authorisation. The sender of a message or creator of a file will hold a private encryption key that gives them access to view, alter, or delete the content. They can then issue a public key to those they wish to bestow access to, also known as a decryption key or decryptor for short.
Once a file or message is encrypted it can be shared or sent or sit stored on a server or cloud-based storage vault while remaining entirely secure. Companies that encrypt the sensitive and confidential data they share, and store can avoid heavy fines from data regulators. The ICO recognises the use of data encryption as evidence that an operation has taken sufficient measures to secure data.
4. How long should data be kept on file?
While there are no precise rules regarding how long information can be kept, for security reasons, personal data should only be held for as long as it is needed. When data is no longer required, it must be destroyed securely. A clear record should always be kept of when data was destroyed, and evidence of its deletion retained. While electronic data can be deleted from devices, servers and backups, physical data files must be shredded.
5. What makes a strong password?
Despite their limitations, passwords are still commonly used credentials used to limit access to data. However, to remain effective, they must be tough to crack but easy to recall. While a series of random characters of different case, numbers and symbols might be impossible for a threat operator to guess, they will be equally difficult for a user to remember. In such, cases a user will either save the password to their local device or keep a record of it on file where they can cut and paste it as required. Either way, the result is a data security vulnerability.
The latest advice from the UK’s National Cyber Security Centre (NCSC) is to construct passwords from three unrelated words. Simpler to remember, these passwords remain difficult to deduce by attackers. Passwords should always be issued by IT departments rather than user, and should be changed regularly.
Multifactor authentication should also be activated on password protected areas and accounts to add a secondary layer of data security.
6. What actions should you take when data security is compromised?
If your team identifies that there has been a breach in data security, you must immediately conduct a risk assessment. Find out what type of data was disclosed and how sensitive the information involved is. If the informed exposed belonged to specific data subjects, they must be informed of the breach and advised on the potential risks involved. For example, if their email addresses and telephone numbers were compromised, you can warn them to be wary of suspicious messages and calls.
You must also report the incident to the ICO. Most firms will have a 72-hour window to assess and report the data security breach. The ICO will want to know how and when the breach occurred, when it was first identified and what measures have been taken to prevent the same incident happening again. It will also need to know the extent of the breach, the type of data involved and what data security measures were in use at the time of the incident.
Experts in data security
At Galaxkey, we provide businesses, local authorities, universities, and schools with the tools necessary to protect the data they retain and share. Our secure workspace has zero back doors and never stores passwords, while our suite of email tools features handy options like time-out and recall.
We also offer digital document signing and data encryption solutions that ensure all content kept or used by your operation has three layers of powerful protection and is always completely traceable for compliance.
To access our data security solutions today, contact our team and start a free 14-day trial of our cutting-edge toolkit.