123 Reg logo Blog

Six potential GDPR breaches you may not have thought about

By Will Stevens - May 17, 2018

If you’ve already spent time making sure your business is GDPR compliant, you’ll no doubt understand that compliance is an ongoing process.

To help you make sure that you don’t fall into any hidden pitfalls when it’s come to compliance, we’ve put together a list of six not-so-obvious ways you might breach the new data protection rules.

Remember though, we can’t offer specific advice on GDPR compliance, so you may wish to consult an expert about your individual needs.

With that in mind, here are some potential GDPR breaches to be mindful of now and in the future.

1 Sending insecure emails

GDPR is all about protecting personal identifying information (PII), and email is perhaps one of the most common ways of sending PII.

If you’re using an email hosting service (ie you send emails from an address like you@your-business-name.com) then you may want to set up secure email, to reduce the risk of a data breach.

Why? Well, most standard email hosting services aren’t encrypted by default. That means if a third-party is able to intercept your emails, they’ll be able to access the body text of the email, along with any attachments.

To avoid this, you can set up secure email hosting. If you’re a 123 Reg customer, you can learn how to use secure mail on your email account here.

If you’re using another email hosting provider, you will need to ask them how you can set up secure email on your account.

2 Sending an email to the wrong person

This may seem like a no-brainer, but you’d be surprised by how often it happens and how significant a data breach it can lead to.

Double checking who you’re sending something to is a good start, but it’s not foolproof.

If you need to send a large amount of sensitive data via email, it’s a good idea to include it as a password protected document.

You can then give the password to the intended recipient via a separate, secure channel (eg a phone call, or a secure messaging app).

This means that if the document containing your data falls into the wrong hand, they still won’t be able to access it.

3 Using file sharing services without passwords

Dropbox is a great way to quickly share large files. But if you’re using it to share PII, then you have to ensure that data is secure.

It’s tempting to think that creating a shared file that can only be accessed by people who have the right link is secure enough, but if that link falls into the wrong hands, you’ll be responsible for a data breach.

For this reason, you may want to password protect all PII when sending it via a file sharing service, and then delete the data from the file sharing service as soon as you can.

4 Using insecure online productivity services to store PII

Online productivity services such as Google Docs and Google Sheets are great, free ways to collaborate online. But they’re also potential data breaches waiting to happen.

If you’re storing PII on a service like Google Docs or Google Sheets, then it’s not enough to have those documents set to “anyone with link can edit” and of course they should never be set to public.

Instead, you should strongly consider specifying exactly who can access these documents (this tends to be done by email address), as well as password protecting and encrypting them.

You may also wish to consider switching to a secure collaboration tool like Office 365.

5 Failing to keep all PII password protected at all times

We’ve already said that you should password protected PII when sending it to someone else, but make sure you password protect and encrypt PII even if you plan on keeping it yourself. Why?

Well, if you leave a device containing PII on a bus and it’s not password protected and encrypted, that’s a data breach.

Make sure all PII is secure wherever it’s stored and whatever you intend to do with it.

6 Using poor password practices

Although password protecting PII is vital, that on its own is not enough. If your password practices aren’t up to scratch, then you’re still running the risk of a data breach.

So make sure your passwords are:

Long and complex – include a mix of letters, numbers, and special characters

Unique – never be tempted to use the same password more than once

Kept private – If you do need to share a password, for example if someone need to access a Dropbox file, then make sure it is a unique password and never use it again. Never share logins and passwords for accounts or applications that contain personal data – this is insecure and may even make it harder to pinpoint the cause of a breach should one occur.

A common complaint here is that it’s hard to remember several long and complex passwords. To counter this, you can always use a password management system such as Last Pass.

Further reading and resources

If you still need more help getting to grips with GDPR, you can:

Read our introductory guide to GDPR

Read our introductory guide to GDPR and online marketing

Read the ICO’s guide to GDPR for small business

Contact the ICO’s small business helpline