This week saw another example of an organisation storing sensitive, personal data in an Excel spreadsheet and then sharing it by mistake. This time it was the government accidentally publishing the addresses of more than 1,000 New Year Honour recipients in a spreadsheet online. Inexcusable these days given the current focus on data protection – but in reality, it’s easily done. So how can you ensure that you don’t make the same mistake?
Below are Clarity’s three recommendations for mitigating this spreadsheet-based risk.
It may seem a pretty obvious thing to say but if you don’t save sensitive personal data in a spreadsheet in the first place then problem solved!
Sensitive data should be recorded and managed in a secure database. If you need to download the data think about which fields you really need and whether you can anonymise the data.
You should give your team clear guidelines for how data is used, stored and distributed in spreadsheets. Putting in place strong spreadsheet policies and procedures that are communicated and understood by all data users helps everyone know what they should and shouldn’t do.
These spreadsheet policies and procedures should be backed up by system controls that control what users can do. As an example most companies who regularly manage very sensitive data (such as banks) have system controls that block the external emailing of any spreadsheets, restrict access to websites that would allow a user to upload a spreadsheet and block external storage devices such as USB sticks.
Our final recommendation for mitigating the risk of storing sensitive data in spreadsheets is using Microsoft Excel’s built in encryption. This involves protecting the spreadsheet with a password so that only people who know the password can open it. This means that if the spreadsheet is shared by mistake no-one will be able to open it.
One quick caveat – Whilst Microsoft have improved their spreadsheet encryption it can still be broken if someone really wants to.
The financial and reputational impact on your business of mistakenly sharing a spreadsheet containing sensitive data can be high. By employing the above three recommendations within your own business you will be able to avoid falling foul of this unfortunately all-too-common pitfall.
Our experienced spreadsheet consultants can help your team to understand the risks of storing sensitive data in spreadsheets.
Please contact us if you would like to learn more about our spreadsheet consultancy services.