By Jess Pembroke, Director of Information Law Services
Like many in the sector, I read the news of a ransomware attack on Salford City College Group with a heavy heart[1]. My first thoughts are with the staff, students, families and wider community who will probably be struggling to deliver services against a backdrop of limited access to key information and the fear of the consequences of personal data being disclosed.
As Data Protection Officers, we spend a lot of time talking about risk and control measures. However, we acknowledge that every data breach impacts individuals whose information is compromised. This occurs partly due to criminals who run Ransomware-as-a-Service operations, making it easier for others to steal personal data and assets.
Incidents such as this should prompt a review of our processes and controls to keep personal data secure. From a DPO perspective, these are some key areas to review:
1. Review processor arrangements and supply chain security
- Do we understand which third-parties have our personal data?
- Are third parties meeting contractual security obligations?
- Have you checked their breach response capabilities recently?
- How would they support us during a data breach?
2. Validate your incident response plan
- Has our incident response plan been tested?
- Does it clearly outline roles and communication flows?
- Can we act without IT systems, and use pen and paper if we had to?
3. Reinforce staff awareness and incident reporting culture
Training is one of the most important preventive measures, equipping staff with the knowledge to recognise potential threats such as phishing emails, suspicious attachments, and unsafe online behaviour.
If a staff member does encounter a data breach/cyber-attack it’s vital that they know the correct procedures to follow. Immediate reporting is essential, so staff should be encouraged to report incidents without fear of blame. Clear reporting channels and guidance must be in place, ensuring that any breach can be swiftly assessed and contained. Follow-up actions, such as supporting those affected, reviewing relevant policies, and providing targeted retraining, help to minimise the damage and prevent recurrence.
Even when organisations take every precaution against data breaches, skilled cyber attackers may still succeed. However, a well-trained workforce is crucial for both prevention and effective response, promoting strong reporting practices and protecting organisational data.
5. Revisit DPIAs for high-risk systems
Education relies on numerous digital platforms, many of these systems will involve high risk data such as safeguarding, monitoring or other special category data and these must have up to date DPIAs that genuinely assess security risk.
Want to find out more?
Our Data Protection and Cyber Security for Execs and Senior Leaders one hour webinar is designed to help you understand the strategic importance of ensuring data held by your organisation is handled security and in line with the UK General Data Protection Regulations (UK GPDR). To find out more, click on the link above or please contact us. We’d be delighted to hear from you.