By Aim's data protection experts
November 2021
Until recently, the most significant issue an organisation could have was a data breach involving a third-party. This was the same for a manufacturing company or legal firm, and whilst legal firms are generally more aware of the issues relating to personal data and put resource into its protection, this has not stopped a significant number of these companies being breached due to hacking, system vulnerabilities or the acquisition of personal credentials leading to the loss of data.
However, data breaches can come in many forms and a malicious attack is not the only type of breach that can cause a Supervisory Authority to investigate. For instance, unauthorised disclosure of, or access to, personal data is a breach. Can this happen? Well yes, and sometimes in very innocuous ways. Whilst we are told not to send personal data, belonging to us, or our clients, in email, or via other methods, or we are told not to store data in non-secure locations, it does happen, for instance, if you work from home and have a technical issue, you will almost certainly log a ticket with your IT department. They will ask for information, and you might give them access to your laptop, or take screenshots to demonstrate the issue. In turn, this information is saved into another system and can innocently, yet concerningly, contain significant amounts of personal data.
Recently, a real estate client of Aim, asked us to search their sales case management system for personal data. They assumed they would find some personal data, but most probably limited to basic information. What surprised and gave them cause for concern were over 550,000 references to personal data across over 35% of their cases, and much related to account information, financial data and even user credentials and passwords. Whilst this information was in a secure system, it would certainly be classed as a breach due to the potential for unauthorised access.
Homeworking during the pandemic has only exacerbated this issue, and so good practice would suggest addressing the issue sooner rather than later. Our client used Aim’s world leading data governance and management platform dataBelt® to find the problem data using extensive regular expression libraries, establish its lineage, find key weakness areas, and subsequently redact the personal data.
This is not a far-fetched scenario, it is common, and becoming more widespread, so if there’s one thing to put on your data protection “to do” list for 2022, it should be to look at the data stores you possess that may contain data you’d rather not be freely available.