By Steven Orpwood, Business Analyst and DPO

 

Here’s a question, what do the GDPR and Indiana Jones and the Temple of Doom have in common?

 

Well… in the Temple of doom a sacred stone, and all the children, are stolen from a rural village by a Thugee cult, and used as part of a human sacrifice ritual to satisfy their deity. Likewise, in the case of a data breach, personal data (the stone and children) is taken and used to fraudulently get money (to sate the deity) and harm others (human sacrifices).  Alongside this drama is a wild adventure where security experts (Indiana) have wild adventures battling the fraudsters (Thugees). Ok, so it’s a bit extreme, but data breaches are often seen as a huge struggle between good and evil, where the two extremes are clearly defined and someone is physically stealing something of value (although ‘physically’ can mean virtually, in the case of online systems).

 

This description certainly fits with a number of breach cases, notwithstanding there being possibly less ‘adventure’ than I portray. However, organisationally, this type of breach is only one possibility. There’s catastrophic storage failure, which corrupts or destroys data, or alteration of data, either malicious or accidental, and then there’s unauthorised access…

 

Unauthorised what, I hear you say. Well, here’s a scenario: Lucretia is a healthcare assistant at the local doctors’ surgery; her neighbour is involved in a car accident but local gossip about the crash and aftermath is providing scant detail. Lucretia decides to ‘take a peek’ at her neighbour’s medical records, just to see what happened. She’s wary of telling others what she knows, so keeps the knowledge to herself, but she does ‘confidentially’ confirm a few details with a couple of very discreet friends. No damage done; or is there?

 

Well according to the GDPR, and a number of other regulations which deal with privacy, damage has been done, and a breach has occurred. However, this is an insidious crime, one that’s hard to trace and often difficult to see the impacts of. Does it really exist? Well yes, there are numerous examples in the news of healthcare workers accessing patient records, often out of interest, but occasionally with more sinister motives. Do you need to report this type of breach? Assuming you know about it, yes you do. The ICO does not differentiate between the types of breaches, and if the policies and security in place do not mitigate the risk, they will treat this type of breach as seriously as data loss or destruction.  What’s more, unauthorised access can continue for years undiscovered, and when it is, it can be very difficult to unpick.

 

So what can you do to manage the risk, since people’s curiosity is a constant factor. Well, as with all mitigation, it’s not going to be possible to remove the risk of unauthorised access completely, so what we’re aiming for is a situation where there are structures in place to control the situation. So, for example, can we restrict access to records, can we see who’s accessed records, do we audit this on a regular basis, are there policies in place to explain the risks and consequences of inappropriate access, and are employees given ongoing education?

 

So far, so good. But what if your systems are inadequate, for example, you have a computerised record management system, but data prior to its implementation is still in paper form, requiring the users to come up with inventive ways to access and use that data in their everyday jobs. In this case, it’s possible to be security conscious and have well trained employees, but still miss significant risks which arise due to them needing to access data as a part of their role. In this case, it’s necessary to understand the processes in place on the ground, rather than relying on a 64,000 foot view of what you think is happening.

 

To summarise, breaches come in all shapes and forms, and sometimes it’s not the obvious or immediate impact ones that can cause the greatest problems.

 

To find out about AiM’s GDPR services, including training, discovery reviews, interim DPOs and GDPR compliance technology solutions, click here.