Regulus

Clear Air Turbulence
The Danger Isn’t Always in the Cloud

We are all, rightly, much more focused on data protection than we used to be. Cyber security, cloud configurations, multi-factor authentication; these are firmly on the agenda, and so they should be. Data breaches are rising, and anyone who tells you an incident is a matter of “if” rather than “when” is being optimistic.

But there is a risk that in concentrating so hard on the digital threat, we take our eye off something rather more old-fashioned.

Any cyber security trainer worth their salt will, at some point, remind you that people are often your greatest IT risk. I’d extend that observation and direct you to consider the humble sheet of paper — particularly if you invite the public into your workspace. A data protection risk assessment that only looks at your electronic environment is only doing half the job.

The breakfast list that cost €15,000

In July 2019, a Bucharest hotel was fined €15,000 after an individual photographed a breakfast list left momentarily unattended at the restaurant entrance and posted it online, exposing guest data.

The hotel’s booking system and guest database almost certainly had excellent security. A single paper checklist, probably considered too mundane to think of as a data risk, caused the damage.

It’s a small case, but it illustrates the point neatly. It’s not always about what the data actually is, either, consider the firm whose bins were knocked over by wind in the street, scattering headed paper across the road. Nothing sensitive on the pages, but it ended up in the local paper anyway. Perception, in data protection as in most things, counts for a great deal.

Why physical data protection deserves its own space on the agenda

A few trends make this more relevant, not less.

Hybrid working has blurred the lines around where documents end up and how they’re stored and disposed of. Staff move between home, office and client sites with printed materials that don’t always come back.

Working from home brings its own version of the problem. The dining room table is not a secure workstation. Household members and visitors aren’t bound by your confidentiality obligations. A video call background can reveal more than you intend. Printed documents left out at home don’t have the benefit of a shredding bin in the corner. If staff regularly work with sensitive client data at home, it’s worth thinking about what your policies actually say about that and whether anyone has explained it to them.

Shared and serviced offices, common on the Island, mean more people moving through your workspace than in a traditional set-up.

And if you deal with the public on site, even occasionally, the risk multiplies. What’s visible at your reception desk? What’s on the screen facing the door? What’s in the general waste bin?

The IOM Information Commissioner has become noticeably more active on enforcement in recent years. Physical data lapses are no less reportable than digital ones, and “we were focused on cyber” is not a defence that tends to land well.

Practical steps

A clear desk policy is the obvious starting point — sensitive files locked away when not in use, not left out between meetings or at the end of the day.

Think about who has access to your workspace and when. Staff, cleaners, contractors, visitors. Map it out and consider how often visitors are unaccompanied in areas where client data might be visible.

On waste, some firms have removed desk bins entirely. There are shredding bins, there is a kitchen bin and that’s it. It removes the decision about what needs shredding and what doesn’t. Simple, effective, and it sends a clear message to staff about how seriously the business takes physical data.

Train your people to think of themselves as gatekeepers of physical data as well as electronic data and include it in your regular training, not as an afterthought.

Document what you do. Short, clear physical data procedures, records of training, a note of any issues found and resolved. Simple and consistent is more useful than elaborate and ignored.

Finally, test it. One approach that works particularly well is a regular after-hours walk around the office, with anything left out - files, notebooks, printed emails confiscated on the spot. If you want your things back, you have to go and ask for them. It works partly because it’s consistent, and partly because nobody particularly enjoys the walk of shame to retrieve their client files.

If you want a useful sense of how data protection enforcement looks in practice across Europe, the Enforcement Tracker at enforcementtracker.com aggregates fines and decisions and is worth a browse.