This article first appeared in the
Autumn 2017 issue of The Record.
In July, we saw a further reminder of why human error accounts for the majority of data breaches in the UK. A (now ex) employee of Newcastle Council unwittingly sent the details of thousands of children and their adoptive parents via an email attachment pertaining to a party invitation.
For all the justifiable furore over malicious data breaches it’s often forgotten that, as in the Newcastle case, almost two-thirds (62%) of the incidents reported to the Information Commissioner’s Office last year were accidental – human error is by far the most significant factor in data breaches. And of course, human error also extends to our mobile devices and crucially the data that’s on them. As an example, Transport for London reported that in one year nearly 33,000 mobiles were lost on its services.
There are many concerns associated with data loss but a key one is that if you’re a company that holds personal data, you’re breaking the law by not protecting it – on whatever device or service it may be. The existing Data Protection Act already covers many of these areas but from next May, the new Data Protection Bill (the UK’s take on the EU GDPR legislation) will beef up the data governance regime substantially with fines of up to €20 million or 4% of global turnover.
The ICO will be enforcing this and has one basic principle that we should all take note of – ‘the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.’
This means the right systems and processes must be in place to stay in control of the data, including being able to wipe information should a device get lost or the employee leave a business. It also means locking down sensitive documentation and putting controls around who can read, modify, and open information. With the Newcastle example, if the document had been protected in this way, damage would have been limited as only those authorised to see the file would have been able to view it.
Services such as Enterprise Mobility + Security from Microsoft allow businesses to segregate corporate data on personal devices, but they also control what users can do with the documents that hold that personal data. Technology alone can’t fix everything, but when combined with rigorous policies it can mean that organisations stay on the right side of DPB and GDPR.
Jon Seddon is head of product at GCI