The National Cyber Security Centre (NCSC) recently published security Guidance which provides technical advice on protecting your website, emails and domain. This blog outlines how to protect your digital data while complying with your legal obligations.
Hackers may seek to breach your security for various reasons, such as to damage your reputation or profit financially. However, there are a number of security measures you can take to protect your business and ensure compliance with your legal obligations.
Businesses have legal obligations to store customer and employee data securely. It is therefore essential that you take proactive measures to protect your business and data – both physical files and digital data. Whether you store your data digitally or physically, you should always train your staff on your data security procedures and the importance of data security.
Protecting physical data
Although it is likely that your business will store most of its personal data digitally, you may have some hard copy files. When storing physical files, you should:
- Ensure your business premises are physically secure;
- Use secure cabinets;
- Limit access to the files to only those who need to view them;
- Use appropriate confidential waste bins, shredding all waste paper containing personal data; and
- Consider storing sensitive personal data separately from other personal data.
Digital data
Here are some recommended steps for the use of digital accounts and online services:
- Ensure that your account is secured with a strong password. The NCSC recommends using a sequence of three random words to create a password that is ‘long enough and strong enough’. Avoid common passwords that are easy to guess (like ‘password’) or those that include your business name or personal details (eg birthdate or name).
- Configure multi-factor authentication to create an additional layer of security, which significantly reduces the risk of unauthorised access.
- Ensure that you regularly update your contact information so that you can be reached in the event of a security alert or if you need an alternative way to access your account.
- If you have your own domain (eg ‘example.co.uk’) you should select a highly regarded domain registrar that meets your specific business needs. For example, you may wish to opt for a registrar that allows multiple users to manage your domain, to avoid sharing passwords.
You can improve your security of digital data storage by:
- Using encryption;
- Implementing cybersecurity measures, eg by using malware protection and backing up your data;
- Restricting access to the data, eg by using strong and unique password protection on all equipment; and
- Ensuring the equipment used to store the data is physically secure by eg storing servers in a separate room with additional security protection.
For more information on the safe storage of data, see Storing personal data securely.
Data breaches
If your security measures are compromised, you must immediately assess whether there has been a personal data breach. You must respond to any breach quickly and effectively.
When a breach is likely to put the rights and freedoms of the people involved at risk, you must notify the ICO within 72 hours of becoming aware of the breach. You may also need to notify the individuals concerned if a breach is highly likely to put their rights and freedoms at risk. In all cases, you should document how you responded to the breach so that you can justify your decisions later if necessary.
If you suspect that your business may have been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website.
For full guidance about how to respond to personal data breaches, see Obligations when a data breach occurs. For a summary of the steps you should take after you become aware of a data breach, see Checklist for responding to a data breach.
NCSC services
The NCSC offers a free service, Check your email security, which enables you to check if you have recommended security mechanisms (SPF, DMARC, DKIM, TLS and MTA-STS) configured correctly.
The NCSC Check your cyber security service allows you to check if your IP address or website has any common vulnerabilities that could be exploited by cyber criminals.
If you are a high-risk individual, you can also register your personal details with the NCSC. If they become aware of any suspicious activity, they can notify you.
Learn more
Further information can be found at:
- Sharing personal data
- Using personal data, policies and record-keeping
- Data protection issues when monitoring staff
- Staff records
- Individuals’ access to personal data (including subject access requests)
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.