You may have seen in the news recently that Three’s systems have been hacked. It is reported that the hackers gained access to over 130,000 customers details. This raises the issue of Data Protection, which has also been news worthy recently.
In this instance the breach was possibly due to an inside job. Where an employee possibly revealed their log in details to the hackers. So what could Three do in this type of situation (other than of course sack the employee involved!)
However, that may not be good enough justification. In fact in relation to the TalkTalk hack last year the Information commissioner Elizabeth Denham said: “Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”
Data protection audit
So it is an ‘inside job’ for all businesses to access what data they hold and the risks involved. A good starting point to help you get a clearer picture is carrying out a data protection audit. This can help reveal how data moves through your business. Also, how it is used, who has/needs access and what security you have in place.
For example did this employee need access to the customer database for their job? Whilst you can’t prevent employees turning rogue, they can’t reveal what they can’t access.
Another good reason for a data protection audit is to help assess your compliance with the Data Protection Act. Also, what else will need to be done in time for May 2018 when the General Data Protection Regulations come into force.
Get in touch if you’d like more information about data protection audits, or data protection in general. We also have a series of fact sheets on the new GDPRs – contact us if you would like us to send you a copy.
A good link for some more information on this can also be found here: https://ico.org.uk/media/for-organisations/documents/2787/guide-to-data-protection-audits.pdf