GDPR Security: Three Months On
It’s been just over three months since new data protection regulation was introduced. It overhauled how companies can use our personal information in their business practices. A fundamental part of this legislation is GDPR security. This needs to be built into the daily goings on of any company or organisation which processes data that could identify someone. This goes much further than you may think – much further than just names, addresses or an email account.
There was much activity – and anxiety – as the May deadline for compliance approached. But, now the dust has settled, what does GDPR security mean in practice? Here, we look at what the updated legislation has meant and how this translates to the way that your business handles data legally and responsibly.
The GDPR security principle
GDPR security measures set out how to handle data in ‘appropriate technical and organisational methods’. This includes risk analysis, clear organisational policies on data handling and processing as well as taking steps to put those into action. This can all be relative to your business requirements. For example, a small business could have a simple database or CMS which lists their customer data and clearly sets out who has opted in and who has also opted out on a ‘do not contact’ list. This has to be backed up to ensure access isn’t prevented in the event of a technical incident. There also has to be measures in place to ensure your system is effective, access is only given to those who need it and that access can be revoked, if required.
GDPR security is certainly not a one-time-fix and forget project. Systems need to be regularly reviewed and updated. As your business grows, and technology evolves, your GDPR security will need to as well. A classic example is data encryption. Research found that 53% of US start-ups encrypt their data but that not so many European companies are doing the same. GDPR security, when it comes to IT and IoT can be never ending. From implementation, to process writing and training all start, it is a full time role in itself and a job that can’t be left ignored or in the hands of someone that is not sure what they are doing.
GDPR security staff
Prior to the introduction of GDPR, there was an Act in place to ensure that personal data was handled sensitively, However, that act was largely outdated as technology developed. This is what prompted the introduction of GDPR. Now, data handling has to be done by default at the beginning of any process, not as a pesky afterthought.
For many, this will have had a significant impact on workloads. It could be that new staff are needed to cope with this increased legal responsibility, or that this part of your IT function needs to be outsourced. In fact, public organisations are required to appoint a data protection officer for this specific purpose.
Companies which handle huge amounts of data, such as call centres, may also look to appoint a person or an in-house team to handle data in light of GDPR security. This ensures that companies are covered so things go right. It will also help in case things go wrong and a breach does happen which would require sensitive management and reporting to the ICO in a timely manner.
GDPR security and IT
Now, for the techie bit. GDPR security should go right through every process within your company that touches data. This goes beyond simple names and addresses to also cover cookie data and IP addresses, which all require the same level of protection under the new regulations.
It is also imperative to ensure any third parties you use are GDPR compliant. Their failure to comply would mean your own failure too. Think about how your email service provider is handling, storing and processing your customer data. Ensure your web host is compliant if they collect data on your website visitors, such as through Google Analytics.
It is becoming increasingly common for companies to have BYOD policies. GDPR security needs to cover all technology and devices which would handle customer data. So, if your staff do use their personal phones for professional purposes, educate them on security measures and what platforms to use to ensure they are GDPR compliant.
Two-step authentication is a great option for controlling who has access to personal data about your customers. This is particularly a strong option for people using phones or tablets for professional purposes in case they get lost or stolen – and your company data gets into the wrong hands too. Although it is, of course, advisable to train all staff in GDPR security and how to be compliant, mistakes can and do still happen. Statistics show that up to a whopping 90% of data breaches occur through human error inside an organisation. Two-step authentication and secure folders that can be wiped on command can minimise the risk of this happening.
Protecting your digital assets is nothing new – GDPR security has basically just added another level of complexity. The Government-endorsed Cyber Essentials certification looks at how to protect your data as well as secure your devices and software to help prevent a data breach from happening. An IT consultant, such as the Link IT team, can help you get certified in cyber essentials to form GDPR security good practice now and going forward.
Resting on your laurels when it comes to GDPR security is quite simply crazy – get yourself covered and compliant if you aren’t already. Our blog here looks at the basics. Or, contact the Link IT team to find out how we can help you with GDPR security.