Keeping customer data secure – data security guide

Gaining accreditation in a data security standard such as Cyber Essentials is a way for your organisation to bolster its cyber security and ensure it meets data legislation such as GDPR. Prioritising compliance with GDPR rules can reassure your customers that you take their data protection seriously.

Why is data security important?

Research by the National Cyber Security Centre found that, with cyber-attacks reaching record highs, cyber security is now one of the most commonly talked-about IT topics. In August 2021, consultancy firm EY found that 90% of Irish businesses have seen a rise in cyber-attacks in the previous 12 months. Protecting data security is important because it means your organisation can adhere to the General Data Protection Regulations (GDPR). Passed into law in 2016, the GDPR sets the guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Failure to comply with the GDPR could result in temporary or definitive bans on processing data and a fine of up to 20 million euros or 4% of your organisation’s annual global turnover, whichever is greater. A customer data management system is at the heart of data security and can help your organisation apply for Cyber Essentials certification. This demonstrates that you have robust data protection and security systems, and can help your organisation apply for tenders and contracts that require Cyber Essentials certification.

Understanding PII data

In the context of GDPR, the primary data security focus is on Personal Identifiable Information (PII). PII is any personal data that can be used to identify someone. This includes information such as:

• Name
• Address
• Driver’s licence
• Passport number
• Bank and credit card statements
• Medical records
• Race
• Gender
• Religion

Article 4 of the GDPR legislation provides several legal definitions of personal data. With a heightened risk of cyber-attacks, PII data could be at risk of being exploited and leaked to cybercriminals. To protect PII dat, organisations must have robust data security systems, such as firewalls and data encryption, to prevent hackers and cybercriminals from accessing data through direct hacks, malware or social engineering scams such as phishing or spear phishing.

Who is responsible for collecting and protecting customer data?

The exact process of collecting PII data can vary between organisations; however, there are usually two main roles involved:

• The data controller – this role decides how PII data is gathered and the purpose for its collection – such as a marketing operations manager.
• The data processor – this role acts on behalf of the data controller in processing the data gathered – such as a telephone-based call centre operator.

Some organisations need to appoint a Data Protection Officer (DPO) to ensure that data protection legislation is adhered to. The DPC outlines the instances where the appointment of a DPO may be necessary, such as:

• If the data processing is undertaken by a public body.
• If the controller and processor responsibilities include processing operations, which will require monitoring of data subjects, or;
• The controller and processor need to process large quantities of either special or personal data that relates to criminal convictions or offences.

Some EU countries have specific bodies in place that oversee personal data protection. For example, the CNIL is the data protection authority in France. In Italy, it is the Garante. For GDPR matters in Ireland, it is the Data Protection Commission (DPC).

How to improve customer data security

It’s a legal requirement that your organisation meets GDPR requirements when handling data. While it’s essential to get expert guidance on implementing a secure data management system, especially to Cyber Essentials standards, there is some general guidance that you should follow.

Only gather necessary data

Collecting additional data that isn’t needed places that data at unnecessary risk of being breached in any potential cyber-attack. For example, if your purpose is email marketing communications, you should gather only names and email addresses – data such as a person’s date of birth or phone number would be seen as unnecessary. If you collect more data than required, you could breach data subjects’ rights and the GDPR. Data subjects have rights such as the right to be informed and the right to object to their data being collected.

Restricting access to authorised personnel

Limit access to PII data to authorised personnel and put in place processes to reduce the risk of this data being shared with unauthorised people, such as restricting personal mobile phones or data devices within a call centre. Authorised personnel should be encouraged to create strong passwords for accounts that are difficult to guess and include a range of upper and lower case letters, numbers, and symbols. For additional protection, limit the number of login attempts on user accounts and implement two-step verification systems.

Invest in your data security systems

Your organisation may have out-of-date software. Using out-of-date applications can leave your IT system vulnerable, as they are more likely to suffer from flaws that hackers can exploit to gain access to your data. In May 2021, HSE Ireland suffered from a major ransomware attack. In light of this attack, HSE’s independent report discussed plans to allow Windows 10 upgrades that address the known vulnerabilities of the organisation’s wide deployment of out-of-date Windows 7 systems. Upgrading to the latest software can be a significant cost for business and EY reports that 44% of cyber teams in Ireland lack the appropriate budget to avoid these cyber challenges. However, regular reviews and updates to your system software can reinforce your protection against potential breaches, helping to protect PII data and comply with GDPR.

Maintain data security across third parties

If your organisation transfers customer data across platforms to third-party partners such as suppliers or fulfilment organisations, all parties should have the same level of data security. The same levels of protection and encryption can ensure the data remains protected while being transferred. Check that your third-party partners are compliant with EU GDPR and take data security as seriously as your organisation. Ask for evidence of the security processes and systems they have in place. This can help with transparency, confidentiality, and protecting the integrity of the data subject’s privacy and rights.

Delete old data

Old data can take up storage space on IT systems and poses an unnecessary risk that puts PII data at risk of being exposed to hackers and cybercriminals. It’s recommended that data be stored for as short a time as possible. If the data no longer serves any purpose, delete it.

Where to learn about data security

We offer Cyber Essentials and Cyber Essentials Plus certification to demonstrate that your security systems meet internationally recognised standards. Our ISO 27018 training course helps organisations learn how to control risks to PII stored on cloud-based systems.