Initial idea 2
Data protection
What is data?
What is the data lifecycle?
The data life cycle, also called the information life cycle, refers to the entire period of time that data exists in your system. This life cycle encompasses all the stages that your data goes through, from first capture onward.
How is data protected?
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- race
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- genetics
- biometrics (where used for identification)
- health
- sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
Your rights
Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
- object to how your data is processed in certain circumstances
You also have rights when an organisation is using your personal data for:
- automated decision-making processes (without human involvement)
- profiling, for example to predict your behaviour or interests (Data protection, 2022)
How can a database be protected?
Databases now enjoy two kinds of protection: if they demonstrate the requisite degree of originality or creativity, they are now conferred full copyright protection as literary works; if they do not meet the originality or creativity requirement, they are protected under ‘database right’.
Methods of data protection?
1. Risk Assessments
The riskier the data, the more protection it has to be afforded. Sensitive data should be closely guarded, whereas low-risk data can be afforded less protection. The major reason for these assessments is the cost benefit, as better data security equals greater expense. However, it is a good test to determine what data needs to be guarded more closely and makes the whole data processing system more efficient.
There are two axes upon which your risk assessment should be based: the potential severity in case of a data breach and the probability of a breach. The higher the risk on each of these axes, the more sensitive the data is. These assessments will often require the assistance of a data protection officer (privacy officer) who will help you establish valid ground rules. Avoid doing it on your own unless you are absolutely certain you know what you are doing. Mischaracterized data, if lost, could prove disastrous.
2. Backups
Backups are a method of preventing data loss that can often occur either due to user error or technical malfunction. Backups should be regularly made and updated. Regular backups will impose an additional cost to your company, but potential interruptions to your normal business operations will cost even more. Time is money!
Backups should be performed in accordance with the principle explained above – data of low-importance does not have to be backed up as often, but sensitive data does. Such backups should be stored in a safe place, and possibly encrypted. Never store sensitive data in the cloud. Periodically check storage media for deterioration, as per the manufacturer guidelines, and make sure to store them according to official recommendations (check for humidity, temperature, etc.)
Tape-storage methods are still a cheaper option (by two-thirds) compared to hard disks. However, hard drives are more versatile and better-suited to small scale operations. Data access is also much faster with disk-storage methods.
3. Encryption
High-risk data is the prime candidate for encryption every step on the way. This includes during acquisition (online cryptographic protocols), processing (full memory encryption) and subsequent storage (RSA or AES). Well-encrypted data is inherently safe; even in cases of a data breach, the data will be useless and irrecoverable to attackers.
For that reason, encryption is even explicitly mentioned as a method of data protection in the GDPR, meaning its proper use will certainly bring you favours in the eyes of the regulators. For example, if you experience a breach that affects encrypted data, you do not even have to report it to the supervisory authorities, since the data is considered adequately protected! For this reason alone, you should consider encrpytion as your #1 data security method.
4. Pseudonymisation
Pseudonymisation is another method advocated in the GDPR that increases data security and privacy of the individuals. It works well with larger sets of data, and consists of stripping identifying information from snippets of data. For example, you replace the names of persons with randomly generated strings. The identity of a person and data they supplied therefore become impossible to link together.
You are still left with somewhat useful data, but it does not contain sensitive identifiable information anymore. Since people cannot be directly identified from pseudonymised data, the procedures in the case of a data breach or loss are much simpler and the risks are greatly reduced. The GDPR recognises this and the notification requirements have been significantly relaxed in case of pseudonymised data breaches.
Pseudonymisation is also a must when performing scientific or statistical research, so institutions and schools should be well-versed in properly pseudonymising their data.
5. Access Controls
The introduction of access controls to your company’s workflow is a very efficient risk reduction method. The fewer people have access to the data, the lesser the risk of (inadvertent) data breach or loss.
You should ensure that you give access to sensitive data only to trustworthy employees who have a valid reason to access it. We recommend you hold regular prior data handling education courses and refreshers, especially after hiring new employees.
With help of your data protection officer, draft a clear and concise data protection policy outlining the methods, roles and responsibilities of each employee (or a group of employees).
6. Destruction
There may come a time where the data you have will need to be destroyed. Data destruction might not seem like a protection method at a first glance, but in fact it is. The data is being protected this way against unauthorised recovery and access. Under the GDPR, you have the obligation to delete the data you don’t need, and sensitive data warrants more comprehensive methods of destruction.
Hard disks are most often destroyed using degaussing, whereas paper documents, CDs and tape drives are shredded into tiny pieces. On-site data destruction is recommended for sensitive data. Encrypted data can easily be deleted simply by destroying the decryption keys, guaranteeing the data will be unreadable… for at least the next few decades, after which it will likely become obsolete anyway. (6 Essential Data Protection Methods - GDPR Informer, 2022)
Reference list:
Bing.com. 2022. what is data - Bing. [online] Available at: <https://www.bing.com/images/search?view=detailV2&ccid=xQjEbftQ&id=F8CA8177EC393CAA935D64F8C36C4D8D6F676E05&thid=OIP.xQjEbftQdA-kxL6CbxfpQgHaEA&mediaurl=https%3a%2f%2fwww.ambyrne.com%2fwp-content%2fuploads%2f2017%2f11%2fBig-data-has-a-huge-amount-of-information-about-your-online-usage.jpg&cdnurl=https%3a%2f%2fth.bing.com%2fth%2fid%2fR.c508c46dfb50740fa4c4be826f17e942%3frik%3dBW5nb41NbMP4ZA%26pid%3dImgRaw%26r%3d0&exph=1070&expw=1980&q=what+is+data&simid=608045619991630523&FORM=IRPRST&ck=5564C38981ECB7E5176632F668FF6F4C&selectedIndex=5&ajaxhist=0&ajaxserp=0> [Accessed 9 May 2022].
En.wikipedia.org. 2022. Data - Wikipedia. [online] Available at: <https://en.wikipedia.org/wiki/Data> [Accessed 9 May 2022].
Talend.com. 2022. [online] Available at: <https://www.talend.com/resources/data-lifecycle-management/#:~:text=The%20data%20life%20cycle%2C%20also%20called%20the%20information,your%20data%20goes%20through%2C%20from%20first%20capture%20onward.> [Accessed 9 May 2022].
Medium. 2022. Data Analytics Life cycle. [online] Available at: <https://medium.com/tni-university/data-analytics-life-cycle-2e5c29a77369> [Accessed 9 May 2022].
Business Clan - Partner with us to grow your business. 2022. The Data Protection Act: what you need to know | Business Clan. [online] Available at: <https://businessclan.com/data-protection-act-what-you-need-to-know/> [Accessed 9 May 2022].
GOV.UK. 2022. Data protection. [online] Available at: <https://www.gov.uk/data-protection> [Accessed 9 May 2022].
2022. [online] Available at: <https://www.welivesecurity.com/2017/11/08/five-tips-keeping-database-secure/#:~:text=%20Five%20tips%20for%20keeping%20your%20database%20secure,and%20resources%20in%20protecting%20their%20productive...%20More%20> [Accessed 9 May 2022].
GDPR Informer. 2022. 6 Essential Data Protection Methods - GDPR Informer. [online] Available at: <https://gdprinformer.com/gdpr-articles/6-essential-data-protection-methods#:~:text=6%20Essential%20Data%20Protection%20Methods%201%20Risk%20Assessments.,you%20have%20will%20need%20to%20be%20destroyed.%20> [Accessed 9 May 2022].
Comments
Post a Comment