GDPR Security: Three Months On
GDPR security is not a one-time-fix and forget project.
It’s just over three months since new data protection regulation was introduced. It overhauled how companies can use personal information in business. A fundamental part of this legislation is GDPR security. This needs to be built into the daily activity of any company or organisation which processes data that could identify someone. This goes much further than just names, addresses or an email account.
There was much activity – and anxiety – as the May deadline for compliance approached. But, now the dust has settled, what does GDPR security mean in practice? Here, we look at what the updated legislation has meant. We also look at how this translates to the way that your business handles data legally and responsibly.
The GDPR security principle
GDPR security measures set out how to handle data in ‘appropriate technical and organisational methods’. This includes risk analysis, clear organisational policies on data handling and processing as well as taking steps to put those into action. This can all be relative to your business requirements. For example, a small business could have a simple database or CMS. This lists their customer data and clearly sets out who has opted in and who has also opted out on a ‘do not contact’ list. This has to be backed up to ensure access isn’t prevented in the event of a technical incident. There also has to be measures in place to ensure your system is effective. Access must only given to those who need it and access can be revoked, if required.
GDPR security systems need to be regularly reviewed and updated. As your business grows, and technology evolves, your GDPR security will need to as well. A classic example is data encryption. Research found that 53% of US start-ups encrypt their data but fewer European companies are doing the same. GDPR security, when it comes to IT and IoT, can be never ending. From implementation to process writing and training, it is a full time role in itself. It is also a job that can’t be left ignored or in the hands of someone who isn’t completely sure of what they are doing.
GDPR security staff
Prior to the introduction of GDPR, there was an Act in place to ensure that personal data was handled sensitively, However, that Act was largely outdated as technology developed. This is what prompted the introduction of GDPR. Now, data handling has to be done by default, not as a pesky afterthought.
For many, this will have had a significant impact on workloads. It could be that new staff are needed to cope with this increased legal responsibility. In fact, public organisations are required to appoint a data protection officer for this specific purpose. Or, maybe this part of your IT function needs to be outsourced.
Companies which handle huge amounts of data, such as call centres, may also look to appoint a person or an in-house team to handle data in light of GDPR security. This ensures that companies are covered so things go right. It will also help in case things go wrong and a breach does happen. This would require sensitive management and reporting to the ICO in a timely manner.
GDPR security and IT
Now, for the techie bit. GDPR security should go right through every process within your company that touches data. This goes beyond simple names and addresses to also cover cookie data and IP addresses. These all require the same level of protection under the new regulations.
It is also imperative to ensure any third parties you use are GDPR compliant. Their failure to comply would mean your failure too. Think about how your email service provider is handling, storing and processing your customer data. Ensure your web host is compliant if they collect data on your website visitors, such as through Google Analytics.
It is becoming increasingly common for companies to have BYOD policies. GDPR security needs to cover all technology and devices which would handle customer data. So, if your staff do use their personal phones for professional purposes, educate them on security measures and ensure they are GDPR compliant.
Two-step authentication is a great option for controlling who has access to the personal data of your customers. This is a strong option for people using phones or tablets for professional purposes. It provides extra cover should those devices get lost or stolen and your company data gets into the wrong hands too. Although it is, of course, advisable to train all staff in GDPR security and how to be compliant, mistakes still happen. Statistics show that up to a whopping 90% of data breaches occur through human error inside an organisation. Two-step authentication and secure folders that can be wiped on command can minimise the risk.
Protecting your digital assets is nothing new. GDPR security has basically just added another level of complexity. The Government-endorsed Cyber Essentials certification looks at how to protect your data as well as secure your devices and software. An IT consultant, such as the Link IT team, can help you get certified in cyber essentials to form GDPR security good practice.
Resting on your laurels when it comes to GDPR security is crazy. Get yourself covered and compliant. Our blog here looks at the basics. Or, contact the Link IT team to find out how we can help you with GDPR security.