By Faye Cheung, Researcher
One of the key principles of data protection law is security. In 2019 the Information Commissioner’s Office (ICO) fined a London-based pharmacy for its ‘careless’ storage of sensitive personal data. The pharmacy had left approximately 500,000 paper documents containing special category personal data in unlocked containers on its premises. The lack of security given to these documents made that data vulnerable to ‘unauthorised or unlawful processing and accidental loss, destruction or damage’, which amounted to an infringement of GDPR. The same principle of security applies to those who store and process personal data digitally rather than physically. As a minimum, the pharmacy could have protected the containers with a lock and key. Similarly, if you’re storing documents digitally then a basic alternative to a physical lock and key might be a password system. However, in order to comply with UK GDPR and in order to adequately protect your data, there may be many more measures you should consider. These include technical and organisations measures. One example of a technical measure, which is provided by Article 32 of the UK GDPR, is encryption.  Encryption could be an appropriate technical measure for certain organisations, depending on the nature and risks of processing activities. ‘Appropriate’ is a key word when looking at security measures for your organisation. The measures implemented by one organisation may not be appropriate for another. This might be because of the size of the organisation or the type of data processing occurring.
A recent survey conducted by the Department for Digital, Culture, Media and Sport (DCMS) found that four in ten businesses (39%) and a quarter of charities (26%) reported having cyber security breaches or attacks in the last 12 months. As cybercrime becomes increasingly sophisticated it is increasingly important for organisations to evaluate their security levels. However, the DCMS survey found that just 15% of businesses and 12% of the charities sampled carried out cyber security vulnerability audits during March 2020 to March 2021. This is understandable given the challenges caused by the Pandemic. However, the Pandemic has also increased the need for new security measures.
The DCMS survey results suggests that the Pandemic has made upgrading hardware, software and systems more difficult and remote working is hampering basic cyber security practices. Furthermore, the survey results suggest that an increase of a ‘blended’ working environment in the future, which will likely see staff working both from home and in an office, may lead to staff championing functionality and flexibility in IT systems, which could be at odds with security practices.
Despite the challenges, organisations should prioritise assessing and implementing security measures. Cyber security may sound daunting and complex, however, it need not be. The image of an unlocked box of documents is a useful starting point when understanding the importance of cyber security.
The ICO have worked with the National Cyber Security Centre (NCSC) to provide guidance on how to assess which security measures are appropriate for your organisation. This can be found here.
Naomi Korn Associates can assist with health checks and audits of cyber security policy and procedures within your organisation. Visit our Consultancy page for more details by clicking here.
[1 – 3] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/12/london-pharmacy-fined-after-careless-storage-of-patient-data/
[4 – 5] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/encryption/
 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021#chapter-1-introduction (Summary)
© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)
Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (April 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.