Get the basics right …

23rd January 2015


You may get the impression reading this blog that I am obsessed with the Data Protection Act, and what can go wrong when organisations fail to do the basics.

Well, I guess I have to hold my hands up – I do sweat about the small stuff, but it is only because I care, and some really good, honest companies have ceased to be just because they forgot to do the basics.

To help you avoid some of these basics I thought I would tell you about some examples of what happens when the basics of Data protection are ignored, and so here is the first.

PRINCIPLE 5 Personal Information should not be kept for longer than is necessary

Principle 5 basically says that you should delete personal information as soon as you no longer need it. However, many companies and organisations seem obsessed with keeping personal data ‘just in case’.

“Just in Case of what I often ask my clients?”
The issue of when is the ‘right’ time is always an interesting conversation. “You are aiming for the ‘Goldilocks’ Zone” I tell them, not too soon, not too long, but just right!

Just this month the Shoe retailer ‘Office’ signed an undertaking with the Information Commissioner committing to address issues of data protection.

The high street and online shoe retailer was in trouble after the personal data of over one million customers was left exposed due to a hacking incident. 

The hacker managed to gain the potential to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned. The hacker bypassed other technical measures the company had put in place and the incident went undetected. 

This is basically a classic tale of personal data being kept ‘just in case’. Probably the theory was sound, keep the information until the new system was live. The trouble was that the database was left accessible after the new file had gone live, and also it was left vulnerable to hackers.

Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:

“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data. “All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.