This month is National Cybersecurity Awareness Month in the United States, which aims to raise cybersecurity awareness and assist individuals to protect their personal data online. Cybersecurity awareness is important because of our ever-increasing reliance on technology and the rising threats of cyber attacks, so it is vital for all individuals and organisations to store personal data securely.
The campaign theme of National Cybersecurity Awareness Month this year is “See Yourself in Cyber”, with a focus on the ‘people’ part of cybersecurity, encouraging all the members of a workforce to take active measures to engage in building a cyber-secure workplace.
To help you build your cybersecurity, we’ve set out below the basics of when you can store personal data and how to store personal data securely.
Storing Personal Data – the basics
Personal data is any information about an identifiable, living person. Strict rules apply around the collection, processing, and use of personal data; you can find out more about these rules in our Q&A.
In terms of storing personal data, you can only store it in a way that is compatible with your original purpose for collecting the data. You must:
- conduct a data protection impact assessment if appropriate, eg before introducing new technology to store data, or if you are required by law to do one;
- only collect and keep personal data that is actually necessary for the purpose for which you are storing it;
- make sure that any personal data you store is accurate and kept up-to-date;
- not keep personal data for any longer than necessary; and
- make sure that personal data is stored securely. See below for tips on how to do this.
When storing personal data, you must:
- keep it under review to check whether it is still accurate and whether you still need it for the purpose(s) for which it was collected;
- delete or anonymise data you no longer need; and
- store it in such a way that you’ll be able to respond promptly to any data subject requests (eg requests for erasure or correction, or requests for copies of personal data from the individual concerned).
How to Store Personal Data Securely
Storing personal data securely
Below are some tips on how to store personal data securely. You can find more detailed guidance on storing data securely in our Q&A.
1. Make sure that your equipment is physically secure
Tips for keeping the personal data you are storing electronically physically secure include:
- if you have servers, storing them in a separate room which has additional security protection;
- making sure your business premises are physically secure, keep track of access given to anyone outside of your business, and consider the security implications of giving access;
- ensuring that back-up or storage devices are kept securely, disconnected and locked away when not in use;
- making sure that lost or stolen devices can be tracked, locked or wiped remotely; and
- securely removing all personal data before disposing of old computers.
For template policies you can use to set out how your staff should ensure the security of devices, see IT, communications and social media policy for a general policy and Bring your own device policy for a policy you can use when staff are working on their own personal devices.
2. Restrict access to personal data that you are storing electronically
You should restrict access to users and sources that you trust. You can do this in a variety of ways, for example:
- use password protection on all equipment, giving each authorised user their own username and password and ensuring that your staff are aware of the risks of disclosing their log-in details to their colleagues;
- enforce strong passwords (with two-factor authentication where practical), limit the number of failed login attempts and enforce regular password changes;
- only allow authorised users to access, alter, disclose or destroy personal data, and cancel access rights as soon as a staff member leaves your business;
- if appropriate, store sensitive personal data separately to ensure that only those who need to access it may do so;
- only use administrator accounts where strictly necessary as attacks such as phishing can be far more damaging if access is gained to an administrator account; and
- do not allow untrusted devices to connect to your network and ensure that your staff consider the risks of using work devices on untrusted networks, including the use of public Wi-Fi hotspots.
3. Cybersecurity measures
The National Cyber Security Centre (NCSC) has a guide for small businesses which contains suggestions for improving cyber security within your organisation. Steps that you should consider taking include the following:
Back up your data
Make regular backups of the personal data that you store to ensure that it can be quickly restored. Consider using cloud services as a cost-effective and efficient way of backing up your files automatically, but do not use cloud syncing services as your only backup.
Malware is malicious software or web content that can harm your business by infecting your software. To prevent malware from breaching your data security, you should:
- ensure that you have suitable, up-to-date anti-virus or anti-malware and anti-spyware software;
- switch on your boundary firewalls;
- switch on internet gateways to prevent your staff from accessing unauthenticated websites or from downloading apps or other products from unknown sources;
- ensure that your computer equipment, software, mobile phones and apps are maintained and software is kept up to date, and remove unused software and services from your devices; and
- consider restricting how USB drives and memory cards are used by your staff to transfer files (eg by only permitting them to use approved drives on business devices).
Train your staff to:
- recognise and deal with threats such as phishing emails and other malware;
- comply with any internal data handling policies you have, including what to do about taking personal data offsite (eg on laptops, USB drives or phones).
- use strong passwords (eg with a combination of letters, numbers and other characters) which are changed regularly; and
- understand what steps to take (eg who to report to) if they believe your business has been the victim of a cyber attack.
Additional steps if your staff work remotely
When your staff are working from home there may be additional cyber security measures your business will need to take to address new vulnerabilities. See Staff working from home for further guidance.
Sign up to the Cyber Essentials certification scheme
If you want to reassure your clients or customers that you store their personal data in a secure environment, protected against cyber attacks, you could consider signing up for the UK government-backed Cyber Essentials certification scheme.
To assist you with your legal obligations, our Data protection policy toolkit contains the relevant data protection policies you should have in place when collecting, processing and storing personal data.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.