There’s More to Data Privacy in 2018 than Digital Security
While the GDPR is good, in that it imposes far greater respect and control over private information, the task of complying with the new regulations could seem daunting. Fortunately, the Information Commissioner’s Office (ICO) – which is tasked with GDPR’s implementation in the UK – has provided plenty of guidance on its website, including 12 steps that UK organisations should take. These include: making everyone aware of the GDPR; documenting details of data that is held, including the source and who it shared with; reviewing current privacy notices; checking procedures and amending accordingly; becoming familiar with the ICO’s code of practice on Privacy Impact Assessments; and designating Data Protection Officers.
Facilities managers could arguably be candidates for this role, given that the classic definition of FM combines people, processes and technology. That said, the volume of data that is in digital format, the IT department will need to be heavily involved, to ensure data is encrypted as appropriate, that IT security is robust and that the ability to demonstrate GDPR compliance digitally is in place.
The data privacy risk goes mobile
However, GDPR is only going to be 100 per cent robust if every employee has – and uses – tools to ensure data privacy, wherever they are. Given that many workforces are increasingly mobile, or have employees who work from home, the classic bricks-and-mortar office-based environment – which is possibly easier to control and defend – is no longer the status quo. 38.8 per cent of the global workforce was already mobile in 2016, according to Strategy Analytics. There is no reason to expect that trend to slow down or reverse.
A recent Deloitte study found that 77 per cent of millennials want great mobile connectivity, but they are also potentially a riskier group, according to findings from research carried out by the Ponemon Institute on behalf of Citrix: 39 per cent of this demographic were prepared to use unauthorised apps in the workplace (and Generation X was not that far behind, at 33 per cent).
Correspondingly, data privacy strategies must encompass individuals and their devices, both in and out of the office. There needs to be more focus on protecting the ‘virtual offices’ that many of us carry around, including thinking twice before carrying out sensitive printed content and, of course, ensuring that the organisation’s IT strategy is extended to all mobiles, with screen lock-outs, mandated log-ins, anti-hacker software and biometrics. Also, there is a ‘Bring Your Own Device’ (BYOD) policy, that should be managed too: IT network protection could be undermined if sensitive data is being transmitted by, or even stored on, an unprotected personal smartphone.
Even so, when someone’s screen is active, there is still the risk that sensitive data could be visible to prying eyes. Various research studies over recent years have demonstrated that the risk of ‘visual hacking’ – the ability to see someone’s screen and then use the data viewed or photographed for malicious or illegal purposes – is very real. A 2017 Twitter feed by film director Barry Jenkins demonstrated how easy it is to view someone’s screen over the shoulder of a fellow plane passenger: harmless enough, but imagine someone less honest, snapping a shot of customer records displayed on a laptop and then selling on that information?
Screens should be angled where they are not easily visible, with automatic screen savers and log-ins required after a couple of minutes of inactivity. When staff are working in public places, encourage them to sit with their backs to a wall. Better still, fit privacy filters over the screens of all mobile devices – smartphones, tablets and laptops - so that on-screen information is only visible to the user and not to someone taking a sideways glance or looking over a shoulder.
Back in the office
It is important to extend these policies to offices, particularly with so many of us using our smartphones and other mobile devices within those spaces. Fit privacy filters to desktop monitors and ensure that those screens are not visible to visitors, contractors or indeed, to anyone not authorised to view sensitive information. It is also good to routinely check people’s credentials and to have a culture where an unknown visitor can be politely but firmly challenged if they are unescorted: in a Global Hacking Experiment carried out by the Ponemon Institute on behalf of 3M, a ‘white hat’ hacker (a computer specialist employed to test the security of a network by ‘hacking’ into it) was only challenged in a global average of 32 per cent of attempts, despite achieving an average of 91 per cent of successful visual hacking attempts.
Many organisations already have policies in place to reduce unnecessary use of paper; apart from environmental considerations, less printing or copying of material reduces the potential risk of someone seeing or picking up sensitive information. The Global Hacking Experiment found that 56 per cent of sensitive data was obtained from printed documents (as opposed to 44 per cent from on-screen information).* Make sure documents are removed swiftly from printers and copiers and routinely shred anything that contains sensitive information.
Protecting data is a multi-faceted task, but there is much that we can do, both as businesses and as individuals – quickly, simply and relatively inexpensively – to better protect our own, our customers’ and our businesses’ valuable information.
3M is a trademark of 3M Company.