Following the coming into force of the GDPR, the state of the law has since changed in relation to the reporting and consequences of data breaches. However, it would appear that adopting some basic data protection ethics could help companies reduce the occurrence of data breaches. This article is aimed at identifying some basic practices which could be adopted or avoided (as the case may be) in order to prevent data breaches in an organization.
- Leaving pieces of paper lying on the table: It is common practice for people to take notes on pieces of paper particularly on ‘post-it’ and leave same lying on the desk as a reminder. In fact, this is a very practical way of keeping tabs on one’s tasks! However, this may not be a best practice from a data protection perspective especially where such pieces of paper/post-it contain personal data. This is because other employees not authorized to access such data may gain access to it. The cleaners and other (external) support staff are also not left out! It is therefore advisable that other means, such as the use of passworded devices, be used for taking such notes.
- Trash cans: Trash cans are probably one of the seemingly innocuous but potentially dangerous means for data breaches. Leaving documents containing personal data in trash cans will make them accessible to third parties thereby resulting in a data breach. Therefore, companies must ensure that documents containing personal data/confidential information are shredded and disposed of accordingly to prevent a potential data breach.
- Double check that email: Before clicking send, take a second look at the recipients of the email, are those the intended recipients? This simple step could prevent a data breach! Some of the data breaches being recorded so far are caused by emails being sent to the wrong recipient(s). So before clicking send, verify the correctness of the recipient(s) of the email. For incoming emails, it is advised that phishing mails and spam mails with unknown links should not be clicked on so as to prevent a Company’s database from being breached by harmful third-party websites. A good way of preventing a data breach under this circumstance is by only opening expected links from trusted people, that is links that have been mentioned in previous discussions with such people.
- Train employees: Ensuring that employees receive adequate training on data protection could go a long way in saving companies from the occurrence of a data breach. Adequate training will ensure that employees refrain from activities such as selling personal data, mishandling personal data, disclosing personal data (particularly in breach of confidentiality requirements), opening of (harmful) links in spam/phishing mails etc.
- Adoption of data protection best practices: Companies must stay updated with the developments in the very dynamic field of data protection in order to get a grip of the best practices in the field. The adoption of some IT security systems such as ISO/IEC 27001 may also be a good starting point for protecting personal data in the workplace.
- Listen to your experts: Most companies employ data protection/IT security experts in order to ensure the protection of personal data. However, the attention/relevance ascribed to the advice given by these experts varies from company to company. It is very necessary for companies to incorporate the advice of such experts into their business operations as this is a guaranteed way of protecting personal data and preventing (or at least minimizing) potential data breaches.
In conclusion, despite the adoption of the preventive measures above, companies must ensure that they adopt a prompt and effective data breach response system. The effectiveness of such system can be tested through carrying out of simulations in order to test the responsiveness of the system during a data breach. This will ensure that data breaches are detected in good time and adequate mitigating measures are put in place to reduce the consequences of such data breach.