Cyber security: Four tips for good data housekeeping

The General Data Protection Regulation (GDPR) took effect across the EU in May 2015. Because safeguarding the privacy of individuals is at the heart of GDPR, it is seldom mentioned in connection with cyber security – yet ‘data protection’ is clearly key to both GDPR compliance and defending your organisation against cyber criminals.

Using the seven GDPR principles as a starting point, here are four tips for good data housekeeping:

1. Control who can access what

   The principle of ‘lawfulness, fairness and transparency’ means that data you hold about someone must have been gathered legally, with their consent, and you must be transparent as to why you need it. If that reason changes, the ‘data subject’ has to be notified.

   That can be difficult if you don’t know what data your teams have access to. For example, Facebook admitted in November 2019 that “at least” 11 Facebook developers had worked with restricted user information.

   In addition to what datasets might be exposed to your third parties, it's a good idea for your cyber security monitoring to look at what information your own teams are accessing – and why.

2. Keep the amount of data you store to a minimum

   ‘Data hoarding’ presents an obvious cyber security risk. GDPR allows data to be kept only so long as it is:

   • adequate; 
   • relevant; 
   • and limited to what is necessary.

   In March 2023, a ‘mega hack’ hit Latitude Financial. The Australian firm handles personal loans, so the nature of its client data is necessarily detailed and extremely sensitive.

   The leak affected 17 million people in New Zealand and Australia – a huge number, because Latitude had kept all of its client records dating back to 2005. GDPR does not specify a maximum data retention limit, saying only that data be kept ‘no longer than is necessary’. Even so, 18 years does seem well beyond the use-by date.

3. Make sure your people have ongoing training

   The GDPR principle of Accuracy specifies that any personal data you hold must not be ‘incorrect or misleading as to any matter of fact.’

   From a cyber security point of view, accuracy has another aspect: Most organisations are vulnerable to data leaks simply because people make mistakes.

   The Welsh Government breached GDPR more than 300 times in less than three years, but not because threat actors repeatedly attacked it. Failings included accidentally publishing sensitive personal data on the Care Inspectorate Wales website, sending a prisoner someone else’s court file, and emailing sensitive personal information to the wrong list of service users.

4. Continuously monitor your threat environment

   GDPR requires “appropriate security measures in place to protect the personal data you hold,” but the definition of ‘appropriate’ is deliberately vague to reflect a threat environment that’s changing all the time.

   OpenAI suffered a data breach on 20 March, involving payment details and user conversations. In response, Italy has become the first Western country to ban OpenAI’s ChatGPT and its successor GPT-4 on privacy grounds. This should concern every organisation with people who are – officially or otherwise – already using OpenAI’s app to assist them in their work.

   Your organisation needs to be aware of its third party ecosystem – which providers have access to your and your clients’ data? Only continuous, automated monitoring is up to the task of identifying existing and emerging vulnerabilities in your attack surface, and that of your critical service providers.

How we can help

At Thomas Murray, we have almost 30 years’ experience of providing risk and compliance solutions to the world’s most complex sectors. We combine that with our award-winning Cyber Security Technology to monitor in real time the financial, operational, and cyber risk of thousands of organisations across more than a hundred markets. Talk to us today about how we can help to protect your organisation.