Data Privacy Day 2020: Keeping Data Safe

Whether you’re a small to medium business or a large corporation, it is vital you adhere to best practice for data protection. On Data Privacy Day, we discuss how to keep your data safe.

All businesses in the UK must adhere to the Data Protection Act of 2018, which aims to promote high standards in the handling of personal data, upholding the principle of the right to privacy, and complements the EU's General Data Protection Regulation (GDPR). The Act applies to all data concerning living individuals which is stored electronically, including name, address, date of birth and financial information. The data must be obtained lawfully, be relevant for the purpose of its collection, but not excessive, be accurate and up-to-date where necessary, and kept secure. Further, individuals have a right under the Data Protection Act to obtain a copy of data held concerning them, known as the right of subject access. Businesses that receive such a request must respond within 40 days, and a fee of up to £10 can be charged. As well as being a legal requirement, the Data Protection Act also makes good business sense. Keeping data on your customers or clients safe will protect you against any potential damages in the event of a data breach, and good handling of data can improve your business’s reputation; conversely, a data breach could bring with it negative PR. Failure to comply with the Data Protection Act could land your business in serious financial and legal trouble; the Information Commissioner has the power to give fines of up to £500,000. All data should be stored securely, and access given only to those who need it. Additionally, you should consider encrypting all data stored on your system. Encryption takes the data and makes it inaccessible to anyone without the unique decryption key, and acts as the ultimate defence against data breaches. Obviously, though, it doesn’t totally protect Data Protection Act breaches due to human error.

A big source of data protection breaches is old hard drives that haven’t been properly erased. A recent study by Blancco Technology Group found that, of the 200 second-hand hard drives they randomly purchased online, 67% contained personal data like financial information and photos. Of the hard drives previously belonging to businesses, the study found that 11% contained residual data. That is obviously a much lower figure than the overall 67%, but it’s still incredibly concerning, particularly because the data included financial spreadsheets, staff emails and personal details of customers. The study showed that simply dragging files to the Recycle Bin won’t suffice – data has to be securely erased, or the drive physical destroyed. We’d recommend both. Disk wiping – or data sanitisation – is a process whereby all the data stored on a hard drive is erased and then overwritten with dummy data. A good, free example is Darik’s Boot and Nuke, more commonly known as DBAN. Sanitising your hard drive will ensure that the data previously stored will be inaccessible, but it’s worth physically destroying the drive as well. At Data Recovery Specialists, all old, unwanted drives are physically destroyed using specialist equipment; but a hammer will work just fine. Alternatively, there are professional services that specialise in hard drive destruction.

Data Protection