Keeping customer data secure – data security guide

Gaining accreditation in a data security standard such as Cyber Essentials is a way for your organisation to bolster its cyber security and ensure it meets data legislation such as GDPR. Prioritising compliance with GDPR rules can reassure your customers that you take their data protection seriously.

Why is data security important?

Research by the National Cyber Security Centre found that, with cyber-attacks reaching record highs, cyber security is now one of the most commonly talked-about IT topics. In August 2021, consultancy firm EY found that 90% of Irish businesses have seen a rise in cyber-attacks in the previous 12 months. Protecting data security is important because it means your organisation can adhere to the General Data Protection Regulations (GDPR). Passed into law in 2016, the GDPR sets the guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Failure to comply with the GDPR could result in temporary or definitive bans on processing data and a fine of up to 20 million euros or 4% of your organisation’s annual global turnover, whichever is greater. A customer data management system is at the heart of data security and can help your organisation apply for Cyber Essentials certification. This demonstrates that you have robust data protection and security systems, and can help your organisation apply for tenders and contracts that require Cyber Essentials certification. PII data

Understanding PII data

In the context of GDPR, the primary data security focus is on Personal Identifiable Information (PII). PII is any personal data that can be used to identify someone. This includes information such as:

  • Name
  • Address
  • Driver’s licence
  • Passport number
  • Bank and credit card statements
  • Medical records
  • Race
  • Gender
  • Religion

Article 4 of the GDPR legislation provides several legal definitions of personal data. With a heightened risk of cyber-attacks, PII data could be at risk of being exploited and leaked to cybercriminals. To protect PII dat, organisations must have robust data security systems, such as firewalls and data encryption, to prevent hackers and cybercriminals from accessing data through direct hacks, malware or social engineering scams such as phishing or spear phishing.

Who is responsible for collecting and protecting customer data?

The exact process of collecting PII data can vary between organisations; however, there are usually two main roles involved:

  • The data controller – this role decides how PII data is gathered and the purpose for its collection – such as a marketing operations manager.
  • The data processor – this role acts on behalf of the data controller in processing the data gathered – such as a telephone-based call centre operator.

Some organisations need to appoint a Data Protection Officer (DPO) to ensure that data protection legislation is adhered to. The DPC outlines the instances where the appointment of a DPO may be necessary, such as:

  • If the data processing is undertaken by a public body.
  • If the controller and processor responsibilities include processing operations, which will require monitoring of data subjects, or;
  • The controller and processor need to process large quantities of either special or personal data that relates to criminal convictions or offences.

Some EU countries have specific bodies in place that oversee personal data protection. For example, the CNIL is the data protection authority in France. In Italy, it is the Garante. For GDPR matters in Ireland, it is the Data Protection Commission (DPC).

How to improve customer data security

It’s a legal requirement that your organisation meets GDPR requirements when handling data. While it’s essential to get expert guidance on implementing a secure data management system, especially to Cyber Essentials standards, there is some general guidance that you should follow. Customer data management system

Only gather necessary data

Collecting additional data that isn’t needed places that data at unnecessary risk of being breached in any potential cyber-attack. For example, if your purpose is email marketing communications, you should gather only names and email addresses – data such as a person’s date of birth or phone number would be seen as unnecessary. If you collect more data than required, you could breach data subjects’ rights and the GDPR. Data subjects have rights such as the right to be informed and the right to object to their data being collected.

Restricting access to authorised personnel

Limit access to PII data to authorised personnel and put in place processes to reduce the risk of this data being shared with unauthorised people, such as restricting personal mobile phones or data devices within a call centre. Authorised personnel should be encouraged to create strong passwords for accounts that are difficult to guess and include a range of upper and lower case letters, numbers, and symbols. For additional protection, limit the number of login attempts on user accounts and implement two-step verification systems.

Invest in your data security systems

Your organisation may have out-of-date software. Using out-of-date applications can leave your IT system vulnerable, as they are more likely to suffer from flaws that hackers can exploit to gain access to your data. In May 2021, HSE Ireland suffered from a major ransomware attack. In light of this attack, HSE’s independent report discussed plans to allow Windows 10 upgrades that address the known vulnerabilities of the organisation’s wide deployment of out-of-date Windows 7 systems. Upgrading to the latest software can be a significant cost for business and EY reports that 44% of cyber teams in Ireland lack the appropriate budget to avoid these cyber challenges. However, regular reviews and updates to your system software can reinforce your protection against potential breaches, helping to protect PII data and comply with GDPR. GDPR Ireland

Maintain data security across third parties

If your organisation transfers customer data across platforms to third-party partners such as suppliers or fulfilment organisations, all parties should have the same level of data security. The same levels of protection and encryption can ensure the data remains protected while being transferred. Check that your third-party partners are compliant with EU GDPR and take data security as seriously as your organisation. Ask for evidence of the security processes and systems they have in place. This can help with transparency, confidentiality, and protecting the integrity of the data subject’s privacy and rights.

Delete old data

Old data can take up storage space on IT systems and poses an unnecessary risk that puts PII data at risk of being exposed to hackers and cybercriminals. It’s recommended that data be stored for as short a time as possible. If the data no longer serves any purpose, delete it.

Where to learn about data security

We offer Cyber Essentials and Cyber Essentials Plus certification to demonstrate that your security systems meet internationally recognised standards. Our ISO 27018 training course helps organisations learn how to control risks to PII stored on cloud-based systems.

Data security guide

Keep up to date with our latest news!


Related ISO Certifications

ISO 9001 - Quality Management

ISO 9001

Quality Management System ISO 9001 is the internationally recognised global standard for Quality Management Systems. It confirms an organisation’s commitment

ISO 14001 - Environmental Management System

ISO 14001

Environmental Management System ISO 14001 standard is the global standard for organisations wanting to demonstrate their environmental credentials. It

ISO 45001 - Occupational Health and Safety

ISO 45001

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for an occupational health and safety

ISO 50001 - Energy Management Systems

ISO 50001

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve their energy management

ISO 27001 - Information Security Management Systems

ISO 27001

Information Security Management Systems ISO 27001 is the international standard for managing risks related to the security

ISO 22301 - Business Continuity Management Systems

ISO 22301

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. It provides a framework that

ISO 20000-1 - IT Service Management Systems

ISO 20000-1

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality management specifically focused on IT

ISO 13485 - Medical Device

ISO 13485

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements of a quality management system

ISO 27701 - Personal Information Management System

ISO 27701

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management Systems (PIMS), also known as

Personal Information Management System - BS 10012

BS 10012

Personal Information Management System BS 10012 provides a framework for a Personal Information Management System standard, helping you maintain

ISO 27017 - Clour data protection

ISO 27017

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen their current cloud data protection

Cyber Essentials - Certification Europe

Cyber Essentials

Cyber Essentials Cyber Essentials is a globally recognised IT security standard developed by the UK’s National Cyber Security Centre, which is

ISO 20121 - Event sustainability management systems

ISO 20121

Event Sustainability Management Systems ISO 20121 is an internationally recognised standard for event sustainability management systems. It provides organisations


Recent Insights