How can businesses keep employee data private?

With increasing digitisation across all areas of business, the private information of employees and customers is increasingly at risk from hackers and cybercriminals.

Image Credit

With businesses of all sizes regularly falling victim to hacking attacks and data breaches, combined with increasing UK and EU regulation and potential fines for businesses who fail to secure private data, it is important to know what your obligations are, as a business, regarding private data.

To that end, here is a brief rundown of what a business’s obligations are regarding private data, as well as some suggestions on how a business can secure sensitive data.

What are a business’s obligations regarding data security?

It is a fact of life that a business will accumulate substantial amounts of sensitive data through normal day-to-day activities, through everything from basic DBS checks from providers like to customer address and payment information. There is, however, a substantial amount of guidance surrounding proper handling of sensitive information.

The EU defines private information as any “by which an individual can be identified”, making this quite broad. The regulations also state that the company which collected the data is responsible for its security, even if they hand it over to a third party, such as a cloud storage solution. Going hand in hand with this are restrictions on where in the world data can travel and still be considered secure, having particular implications for offsite solutions –

Image Credit

It is important to consider that users have a quite broad ‘right to be forgotten’, where they can request that their data be erased. Some information, such as data from DBS checks, has additional requirements that they are erased within six months.

How can a business best secure data?

With physical documents, secure shredding would be the obvious solution to dispose of data, and it is little different with digital information – normal deletion methods can be reconstructed, and unrecoverable methods are recommended.

With all digital information, encryption is extremely important, especially with the new EU and UK data protection regulations. When information is properly encrypted, it is no longer considered to be ‘identifying’, and in the event of a breach, may not be accessible.

With new regulation promising fines in excess of £500,000 for data breaches, properly securing private data is increasingly important.