8 Steps Checklist for Companies to Prevent Data Breach

Organizations need to safeguard any information under their care to prevent a data breach due to accidental or unauthorized disclosure. Where a breach has taken place, organizations may need to inform the appropriate regulators and authorities, affected individuals, as well as face undesirable impact on the its brand and customer loyalty. 

What is a Data Breach?

Under the PDPC’s definition, a data breach refers to an incident exposing personal data in an organisation’s possession or under its control to unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Why is a Data Breach dangerous?

Data breaches often lead to financial losses and a loss of
consumer trust for the organisation. In addition, individuals whose
personal data have been compromised could be at risk of harm or adverse impact if they do not take steps to protect themselves. Hence it is important for organisations to be accountable towards individuals by preventing and managing data breaches.

What are the steps to prevent a possible data breach?

Here are eight easy steps for companies to adopt and minimize any chance of a possible data breach.

1. Training your employees on proper data handling and sending procedures regularly

Organizations must make sure that all personnel undergo regular training to keep them informed and mindful of all proper procedures for the processing and/or sending of personal data. Employees must also be frequently reminded to abide by with such procedures thoroughly, instead of going through the motions.

2. Ensure that employees use company software appropriately

Employees must be proficient trained to use company software for processing and/or sending of personal data. Organizations must present clear standard operating procedures to be followed to when using such software, such as:

• Examining that the software is accurately configured before use; and
• Making sure that the correct sensitive data is keyed into the software.

Where the handling and/or sending of sensitive data has been programmed by IT systems, employees must still be required to double-check that such private information has been processed correctly and/or will be sent to the correct destination(s).

3. Ensure that only the relevant personal data is disclosed

Organizations must create a strategy on how compiled sets of private information must be sent. For instance, instead of sending out the entire set of personal data, employees might be required to extract and send only what is relevant and/or necessary to the recipient. Where personal data is to be sent to recipients other than the individual whom such information relates to, companies should obtain that individual’s consent for the disclosure.

For the sending of mass emails, recipients’ email addresses should be placed in the email’s “Bcc” field instead of the “To” or “Cc” fields. This will ensure that recipients’ email addresses won’t disclosed to everyone in the mailing list.

4. Ensure personal data to be sent is accurate

Establishments must implement procedures to ensure that employees double-check any personal data being sent is accurate. Perhaps, where personal data is to be emailed to a recipient, workers might be required to check that:

• They are sending the right document;
• The personal data in the document is accurate; and
• They have attached the correct document to the email
  

5. Secure all sensitive personal data

Organizations can establish an email policy for documents comprising sensitive personal data to be encrypted or protected with passwords when being sent to recipients. Otherwise, the email itself could be encrypted.

Organizations may refer to PDPC’s Guide to Securing Personal Data in Electronic Medium for other commendations on safeguarding personal data which is electronically stored.

The PDPA establishes a data protection law that encompasses numerous rules governing the collection, use, disclosure and care of personal data. It distinguishes both the rights of individuals to protect their personal data, including rights of access and modification, and the needs of organizations to collect, use or disclose such data for legitimate and reasonable purposes.

One of the 9 obligations is the Protection Obligation, which mandates that organizations must provide as much care and security to the personal data under possession.

6. Ensure that recipient information is accurate

Recipient information is information on where personal data will be sent in order to reach the recipient. This could be:

• Mailing address
• Email address
• Fax numbers
• Mobile number

Organizations might consider implementing automated processing of documents containing personal data. This way, personal data can be automatically pull out from specified sources and filled into documents by software. It reduces the risk of the destination information being inaccurate.

7. Use notifications in communications to warn and inform recipients on Personal Data Protection

Organizations could include a notification in all emails, faxes and letters to:

• Warn recipients against the unauthorized use, holding or disclosure of personal data; and
• Inform them to delete and report straightaway of any personal data sent to them in error.

The PDPC’s Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data, which also includes a beneficial checklist of good practices to follow, is a good additional read. Still, it is mainly up to organizations to choose which methods would be most suitable for them to adopt to compliment their business activities.

8. Perform periodic vulnerability/ risk assessments

Organizations should practice conducting regular vulnerability assessment and penetration testing to know the current state of their security across their systems, web and mobile applications and workstations.

Besides being a guideline for organizations to have their website, web or mobile applications tested on before launching, this also allows for pre-emptive actions to be planned and remediation to be done.

Read why vulnerability assessments and penetration testing is important for organizations.

Protect your Data with Privacy Ninja

Here at Privacy Ninja, we help businesses preserve their brand and data securely.

We provide training on the 9 obligations & DNC provisions, identify and review existing gaps for potential data breaches in the organization as well as draft the necessary data protection policies to be implemented.

Contact Privacy Ninja for a non-obligatory consultation and we will identify and share the areas for improvements in your organization.

You can click here for more details on our PDPA training and Penetration Testing services.