The first of these was in 1988, when businesses would have had limited IT systems and for lots of SMEs none at all, relying instead on fixed landlines, paper and type and perhaps the cutting-edge “facsimile” machine. This is inconceivable now – every business has IT systems from the self-employed painter/decorator carrying a smartphone to the complex, cutting-edge, super-technology of multinationals.
And with this behemoth digital shift, the risks to businesses of computer insecurity have similarly risen inexorably.
Notwithstanding the damage to day-to-day operations of business, the General Data Protection Regulations 2016 (GDPR) has made the issue of computer security additionally important for organisations.
One of the principles of the GDPR is “integrity and confidentiality” of personal data. The UK’s regulator for data protection; the ICO, has parsed this as “security” of personal data. Breaching the data protection principles in the GDPR can be costly for businesses. The fines associated with breaching the GDPR are not to be underestimated and can amount to a maximum of 4% of an organisation’s turnover in the preceding financial year.
The GDPR requires that organisations take appropriate technical and organisational measures to protect personal data.
“Appropriate” is a key word. The consideration of what is appropriate is double-edged; it is neither a licence to save money on IT nor a dictum to turn offices into Fort Knox. Instead, organisations are expected to show they have given proper consideration to the risks associated with the personal data they are storing and processing and have made a balanced survey of the options for protecting that data. Organisations can consider what is both possible in their circumstances and what the state of technology will allow and this will differ from organisation to organisation and between different types of processing. However, organisations should also be prepared to stop/not start personal data collection and processing where the risks to personal data cannot be reduced enough because they cannot afford the necessary tools or the tools are simply unavailable, to keep the personal data objectively secure.
I started this article talking about computer security, but organisations need to think about physical security and confidentiality too, when considering their security policies. In particular, staff should be regularly trained on the importance of personal data security and reminded it is a (criminal) offence to obtain personal data beyond that which is needed for their job. In relation to physical security, organisations need to think about all the ways that personal data can be physically accessed by a third party, especially while staff are working from home and documents cannot be contained to an office. Perhaps businesses should be adding shredders to staff Christmas lists, this year?