The news that British Airways has been fined over £180 million for suffering a data breach is an important reminder to everyone who’s involved in handling data.
The fine came after hackers stole data relating to 500,000 customers, including names and addresses, travel details, logins and payment card information. It’s the first fine proposed by the ICO under GDPR and certainly won’t be the last.
Since GDPR, companies have taken data protection more seriously than ever before and rightly so. Businesses have been busy ensuring that they have the necessary consents and permissions in place to process customer data and that their data policies are clear. In doing so, it’s possible that some may have been guilty of taking their eye off the most basic principle of data protection – data security.
Safety First
It’s important to have your Privacy Policies up to date, to manage your marketing permissions and to have a process in place for Subject Access Requests, but security needs to be at the heart of your data protection policies.
Most businesses do a good job of protecting their customer databases. Access is normally restricted, passwords and encryption are in place and everything sits behind a firewall.
The problems normally arise when data is extracted. Campaign files need to be securely transmitted to their destinations. Access needs to be restricted to those who need it. And data files must be destroyed once they’re no longer needed.
Files stored on individual PCs or in emails are vulnerable, so you need make sure everyone in your organisation knows how to handle your data.
Guard your data jealously
Make sure you keep your data within a separate and secure Customer Data Platform. It goes without saying that it needs to be kept secure, but at some point, you need to bring data out of it.
Make sure only the minimum data required is extracted, and is made available for the shortest amount of time. Data should be provided for a defined purpose only, after which it is destroyed.
In the first instance, particular care needs to be given to who should have access to individually-identified records and who doesn’t. Producing aggregated MI reports on campaign bookings and revenue doesn’t necessarily need the same level of detail as those extracting email campaigns.
So make sure your system can provide different views of data to different users depending upon what they really need. Individual level data should only be extracted and passed on if absolutely necessary and only by individuals with the right permissions, through secure methods under clearly defined confidentiality agreements.
Choose the right suppliers
Robust security means you also need to look outside of your business.
Do your third parties all have formal data security agreements with you? When was the last time you audited them? You should be as certain of your suppliers’ security as you are about your own.
Look for businesses who can demonstrate a commitment to data security. A certification such as ISO27001 can be a useful way to see if a business takes their security seriously, but there’s no substitute for making your own checks and visits.
Defeat your own security
Or at least try to.
Regular penetration testing should be a part of your security protocols. Employ an outside agency to try to make it through your firewall and access your data. Hopefully they won’t, but if they do, then your security isn’t good enough.
A good external company will keep you on your toes, highlighting your weaknesses and advising you on improvements you can make.
Hackers keep developing new and alternative methods to get past the latest security, so you need to stay ahead of them by developing new defences.
Data isn’t just the job of your IT department
Everyone in your business needs to know about data and what needs to be done to protect it.
Make sure your marketers know how to handle campaign files – how they should be sent, to who and how they should be returned or destroyed. And your call centre needs to know the rules around accessing customer records.
Data security and GDPR should form a standard part of new staff induction programmes and of regular team briefings. Your Data Protection Officers should have clearly defined ways of reviewing legislation, company performance and should be disseminating new regulation and guidelines to teams. Every team should automatically complete Privacy Impact Assessments for projects and new developments, however small the project may appear.
If you don’t think your business is taking its data security seriously enough, then make it a priority – wherever you sit in the business.
Because if you don’t keep improving, then no matter how high you build the wall around your data, someone will one day build a taller ladder.
And if you need someone to audit your current arrangements and advise you on next steps, we’ll always be glad to help.