Cyber security: steps businesses can take to protect personal data

  • Posted

Following Easyjet’s recent disclosure that it was subject to a cyber security data attack, it has now been hit with a billion-pound group action claim over this incident.

Details of email addresses and travel details of approximately 9 million customers were accessed, together with some credit card details. Easyjet has taken steps to contact those customers affected and has informed the ICO. Although there is no evidence that any personal information of any nature, including credit card data, has been misused, this event serves as a reminder of the steps that businesses can take to protect the personal data of its clients:

  1. Carry out a data audit to identify what personal data the firm processes, the “categories” of data subjects, the purpose and means of collection of the data, what is done with the data and who has access to it.
  2. Undertake a risk assessment into the processing this data and consider mitigating steps. These might include carrying out Data Impact Assessments for high risks and considering what technical measures can be undertaken, such as encryption, pseudonymisation and anonymisation to protect the data.
  3. Check your internal policies are up to date, such as security policies, record retention policy, special categories data policy, data privacy policy, and record of processing activities.
  4. Check your contracts with any third parties to whom you transfer data, to ensure they contain appropriate provisions.
  5. Ensure that you have in place a process for regularly testing, assessing and evaluating the effectiveness of technical and organisation measures for ensuring the security of the processing. These will include the provision of staff training, and planning for business continuity and disaster recovery.
  6. Check whether your organisation is complying with any relevant sector specific security standards.
  7. Consider taking out cyber insurance.

The ICO has an information security checklist aimed at small and medium sized organisations which leads you through a series of questions. Based on the organisation’s responses, it provides red, amber, green ratings and suggested actions. The checklist can be found here.

In addition, the National Cyber Security Centre (NCSC) has published guidance to help small to medium sized organisations prepare their response to, and plan their recovery from, a cyber incident. The guidance can be found here.

For any questions or assistance regarding cyber security, please get in touch.