In an advisory aimed at the protection of customers’ personal data, the Australian Cyber Security Centre (ACSC) has emphasized that businesses should only collect personal data from customers that they need in order to operate effectively.
While that may seem like kicking in an open door, it’s really not. It’s relatively easy to decide which personal data you need to have for a new customer. It’s a bit harder to stop there. Many small business use pre-formatted questionnaires that ask for information they don’t actually need for day to day operations, and it’s hard to keep track of data they no longer need.
The advisory, titled Securing Customer Personal Data for Small and Medium Businesses, is written for small and medium businesses, but many larger corporations could benefit from it as well. The guide was written because data breaches against Australian businesses and their customers are increasing in complexity, scale, and impact.
It outlines a few steps businesses can take to organize, minimize, and control the personal data they collect, in order to contain the impact of a data breach. With the growing tendency to do business online, businesses have a responsibility to keep the personal data they collect safe.
The ACSC recommends implementing 10 steps to secure customer personal data:
- Create a register of personal data. Keep an inventory of the types of data you have collected and where they are stored. For example, a register of databases and data assets.
- Limit the personal data you collect. Do not collect data “just in case.” You don’t have to worry about what you don’t have stored.
- Delete unused personal data. Probably the hardest step, it takes policies stipulating how long customers’ personal data should be stored before it is deleted.
- Consolidate personal data repositories. Consolidating customers’ personal data into centralized locations or databases allows businesses to focus on key data repositories and apply enhanced security practices.
- Control access to personal data. Employees should only have access to customers’ personal data that they need in order to do their job.
- Encrypt personal data. Full disk encryption should be applied to devices that access or store customers’ personal data, such as servers, mobile phones and laptops. Customers’ personal data should be protected by encryption when communicated between different devices over the internet. Additionally, businesses may choose to implement file-based encryption to add an extra layer of protection in the event that systems are compromised as part of a cyberattack.
- Backup personal data. Backups are an essential measure to ensure an organization can recover important business data in case of damage, loss or destruction. Backups are also critical in protecting customers’ personal data from common incidents such as ransomware attacks or physical damage to devices.
- Log and monitor access to personal data. Implementing logging and monitoring practices can assist businesses in detecting unauthorized access to customers’ personal data.
- Implement secure Bring Your Own Device (BYOD) practices. Businesses that employ BYOD policies need to have appropriate protections in place to ensure that this is done securely and does not increase the risk of data breaches. It’s important to have a clear policy and rules to enforce it.
- Report data breaches involving personal data. Make sure you are aware of the existing local reporting obligations in case you are the victim of a data breach involving customers’ personal data.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.