Use Confidential Mode in Gmail
What to do if you suspect a Data Breach has occurred
Overview
You must ensure that any documentation that holds PII (Personally Identifiable Information) or confidential documentation that is required to be sent electronically, must be done so in accordance with GDPR and Data Security best practices.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.
For more information on what constitutes as a Data Breach,Visit the ICO Website
Please note, this list is not exhaustive, it should help guide you to decide whether there is sensitive information within the documents and how to safely send them.
What are you sending?
Does the content of the document or data sheet detail any personally identifiable information?
Such as; names, email addresses, dates of birth, bank details, addresses?
For corporate information, you should be mindful of what that document contains and what the impact could be if that information ended up in the wrong hands.
For example, a Full GRATIS Report from MEC may not contain PII and although GDPR regulations may not be impacted, it would be classified as a confidentiality breach should an email be sent to the wrong email address or if the email was intercepted by illegal means.
An example of this could be accidentally sending the last month's stats from one Corporate Agent to another Agent or from Hotel Group A to Hotel Group B.
If your answer is yes to any of these then you need to ensure that all necessary care and attention is taken when preparing to send this data.
Why are you sending it?
Is there a specific reason that you need to send this information electronically?
Can they access this information themselves in MEC or GRATIS?
Can you limit what you are sending?
Is there another way to access this information without sending it electronically?
Who are you sending it to?
Are the email addresses legitimate? Does the email address match the name of the company? Don’t be afraid to query it if the email address doesn’t seem right.
Do they have authority to receive and view the data? Look at their job title, check the CRM. If you are not sure, ask!
Avoid sending any confidential documents to domains such as @gmail, outlook, @yahoo, to name but a few.
Once you have been through the steps above, you then need to decide how you are going to send the document.
Secure ways to send documents
Sharing Via Google Drive
If they have a Google Account:
Go to Share in the top right hand corner of the page then add their email address into the box below, once added you then select their level of access.
Viewer*: Cannot manipulate the original document, but will allow them to download the document into Excel, word, PDF etc.
Commenter*: As above with the additional ability to select elements within the document and comment on it.
Editor: Full access, they can edit, remove, download etc.
*Unless otherwise specified, they will be able to download the document. If this is not required. Select the Settings cog, and UNTICK the box.
If sharing with an external source, you should normally only give Viewer or Commenter access.
Sending Via We Transfer
For large files I recommend using Wetransfer. For occasional use it is completely free. Go to https://wetransfer.com/
Enter both your details and the recipient's details into the box on the screen, add your message and click Transfer.
Links automatically expire after 1 week.
We understand that very large documents may not always be possible to share in Google Sheets, and on occasion an Excel spreadsheet or CSV file is the preferred method of sharing. In these circumstances you may still require a password in order to add an additional layer of security on your documents.
If you are unsure on the best way to send a large file then please speak to the Head of Operations or your Line Manager to discuss the appropriate options.
Remember, that if your document is password protected that you do NOT put the password in the same email, either deliver the password over the phone or you could use the confidential mode in Gmail as below.
Use Confidential Mode in Gmail
Gmail allows you to send emails with an expiry date and/or passcode, that enables you to choose how long the recipient has access to that email and any data within.
Please note that this is NOT recommended for sending any data sheets or documents that contain Personally Identifiable information, please use one of the methods above.
This is a good option to use if sharing contracts or discussing confidential information and you want to add an additional layer of security to your email.
Within Gmail, begin to compose your message.
Once you have your document ready. Select the option tag below.
Select your Expiry Date and choose if you want to add an additional SMS code to enable the recipient to access the information. (Be mindful that you will need to ensure that you have the recipient's mobile number to enable the SMS Code)
The recipient will then receive an email like this:
If you select the SMS option, they will see an additional screen
In Summary
Check your data. Is the data correct and limited to what is required?
Ensure you understand who you are sharing the documents with and that they have authority to access that information.
Check and double check the email addresses before you share.
Agree how long access to the document will be available. Ensuring you remove the access after the agreed period of time has lapsed.
What to do if you suspect a Data Breach has occured
Firstly, Don’t panic and be honest!
If you are able to, revoke all sharing access to the documents as soon as you have any security or access concerns.
You must report the breach or potential breach to your Line Manager or the Head of Operations at the earliest convenience and detail what the data set includes, who it was sent to and what has happened.
If you have shared data using the methods above, this will naturally reduce the risk of a breach so should any mistakes or data security issues occur, then it will be much faster to resolve and protect the data.
If you have shared the data in another way, the full details will still be required to enable the necessary steps to be taken to protect the data.
The above action also applies for any form of data or security breach.
Examples include, a laptop or device has been stolen, lost or hacked.
The most important aspect is to be swift with your actions and your honesty as we have a legal obligation to review suspected breaches and report to the Information Commissioner's Office if a data breach has occured.