We’ve got some tips to help you keep your data secure.
GDPR is the latest buzzword going around. Many companies, from lots of sectors, are jumping on the bandwagon. They know people are worried about it and companies are concerned about the potential fines of 4% of turnover or 20 million Euros. They see it as a great money-spinner. Some call it the next Y2K. At Systems IT, we are not interested in advising about what you can and cannot do with the data you have.
We are, however, interested in ensuring you are keeping that data secure. If it isn’t secure, you are failing to abide by key principle (f)…
Personal data shall be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
The first thing that most people think about when it comes to personal data, GDPR and IT security is a data breach. So let’s look at what a data breach is.
What is a data breach?
The Information Commissioner’s Office (ICO) defines a data breach as:
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
You’ve seen all the headlines about various organisations (both public and private sector, but let’s not cast stones at this point) losing data. This has been in the form of lost laptops, hacking and other IT disasters. It is impossible to guarantee that a data breach will never happen, but there are plenty of steps that will allow you to say you have taken “all reasonable precautions”. That is, after all, what you are required to do.
If there is a personal data breach, companies will have just 72 hours to disclose the breach to regulators and in some cases, the individual affected.
What can be done to prevent a data breach?
So where is your data stored?
- Your servers, whether in your office or in the Cloud
- On individual PCs and laptops
- Tablets, phones and other mobile devices
- On paper
On your network
Personal data is on your network so that multiple people can access the data when they need to. It is also the best place to keep it so that it can be backed up, in case of loss. You need to ensure that only authorised personnel can get to the personal data you are storing.
- Do you limit access to folders containing data? All server operating systems and Cloud systems allow you to give permission to some and not to others
- Are you protecting access to your network? Firewalls and password management are the minimum you should be using to ensure that unauthorised people cannot access your network
- Are you using technical measures such as encryption and pseudonymisation? The GDPR requires that companies incorporate these methods to protect personal data.
Every member of your team uses either a desktop or laptop (and often both). What are you doing to prevent people accessing personal data through these devices?
- Does the user need to store data on the local machine? If not, you can stop it being saved locally so that it is only ever on the network.
- Do multiple users use that machine? Do your processes ensure that users log out when they finish using the machine? Multiple users on one account is a major IT security issue because you cannot see who is doing what.
- Are you applying password management so that passwords are difficult to predict (cannot be dates, names or PASSWORD)? Do these passwords have to be changed regularly?
- A further step could be two-factor authentication tools (we can advise)
- Some Windows 10 machines use fingerprints or facial recognition to identify a user. If your machines are getting old, it may make sense to invest in this technology.
On mobile devices
Outside of your own personal contacts, many people think that there is relatively little data on their mobile devices. Let’s think about that for a moment. Almost everyone has their email going to their phones. How many spreadsheets of data will be available within those emails? How much information is there simply as a list of email addresses, of the people you’ve sent or received emails to or from?
They are also a conduit into your network and 0to your cloud services. Your MailChimp/dotmailer/infusionsoft app will give someone access to all your mailing lists, as well as all the marketing material you’ve sent out. The Microsoft suite on your Android or iPhone gives access to the network, whether that is a server environment or something as simple as OneDrive.
So what can you do?
- Passwords and fingerprint identification will help, but ensure that passwords and pin numbers are changed regularly.
- Can you wipe the data if the device is lost? Most of the data can be put back if the device is recovered, but better safe than sorry.
- Control your mobiles using mobile device management, to ensure policies are rolled out and followed, then when necessary, wipe the data.
There is no such thing as a paperless office, no matter how hard people try. The question is what are you doing with all the notes, the printouts and the forms you have in the business? As an IT company, we aren’t experts in how you manage your paper, but we do know:
- HR documents (application forms, CVs, annual review forms etc.) have to be kept for 7 years
- Market research forms have to be kept for two years
- Other forms and paperwork have to be kept for varying amounts of time
You have to keep all that documentation. You have to know where individual forms are and you have to be able to get them and show what information you have about them.
So there is a lot to be aware of and areas to consider to ensure stored personal data is kept safe.
The security of the personal data you store within your business is part of your GDPR commitments. It isn’t all of it, but it is the basis upon which you build your GDPR commitments. We hope we’ve given you a few things to think about. If there is anything you need assistance with, give us a call.