Getting Started With GDPR
Over the past 12 months we’ve offered plenty of opinion about the new General Data Protection Regulations. Whilst there is still plenty of uncertainty around the GDPR one thing is without any doubt. You need to ACT!
Doing nothing is not an option but we know that often, when it comes to something new, getting started is the most difficult part.
We wanted to offer some practical steps to get started with GDPR and point out some of the areas we can help.
Get Management Buy-In – Make sure management is completely on board and understand that this needs resourcing properly and must be given the correct attention. It’s not an extra job for someone if they ‘get a bit of time’.
Appoint an individual who is responsible for your data compliance – This does not mean you need a Data Protection Officer (you only need one if you are processing thousands of records) but having somebody who has responsibility and the necessary power and autonomy to influence change is a sensible move.
Understand The Standard – There is a lot of information, misinformation and downright scaremongering about around the GDPR so make sure whoever is taking responsibility gets information from a reliable source. The Information Commissioner’s Office (ICO) is the regulatory body responsible for the enforcement of the data protection regulations in the UK. The ICO website is an excellent source of information, advice and guidance including a helpline for small businesses. We would suggest using the ICO as your primary source of GDPR information.
Consider the risk – Do you hold personal data or personal sensitive data? A company that processes regular, ongoing credit card payments from 5,000 customers on a daily basis needs to dedicate more time and resources to data protection than a business that only deals with other businesses and receives a one-off payment.
Consider outside help – but only if you really need it! Now you’ve considered the risk you can way up if you any investment in outside expertise is required. Bespoke Data Protection consultancy is probably only going to be required by a few companies that deal with relatively high volumes of consumer data, or those that handle any particularly sensitive data such as that pertaining to health issues or young people. For medium risk businesses, those looking to bid for government contracts or those that desire a formal, recognised response to cybersecurity then Cyber Essentials certification gives a structured framework for data security. And, whilst it is, no GDPR silver bullet, it certainly shows that the business is taking cyber security seriously as part of its business activities.
Audit the information you hold – You need to know what you’ve got, where it is, how long you’ve had it and where it came from. Audit everything from old invoices in filing cabinets and out of date CVs, to old customer order forms. This is not just about the digital stuff. If you are holding out of date information or data that you simply don’t need then dispose of it SECURELY. Shred documents and delete files securely from servers and backups.
Audit your technology – End of life hardware and software both present security risks. As a rough guide the following would be sensible timescales to replace hardware:
Servers replaced after 5 years
Desktops replaced after 4 years
Laptops replaced after 3 years
Mobiles replaced after 2 years
With software you should ideally be using the latest versions such as Windows 10, Office 365 etc.
Get your security up-to-scratch – Whilst you are looking at your IT infrastructure you need to know what security software and hardware solutions you have, how these are maintained and kept up to date, and whether they are fit for purpose. Don’t forget your back-up solution. Make sure you know how often your data is backed-up and where the back-ups are stored. You should also make sure you have a process to regularly test your back-ups; there’s no point having them if you can’t restore from them in the event of an emergency. If we are not already providing your antivirus, email filtering, backups etc. then please talk to us about our integrated solutions.
Find out where your digital information is held – We’ll let you into a secret. There is no ‘cloud’, it’s just someone else’s computer! Seriously though if you use any kind of cloud service or remote servers you need to know where they store your data.
There may be specific issues with servers that are kept outside the EU. Speak to your hosting company and find out what they are doing to protect your data.
Audit your current data procedures – Ask the question: are we going to be legally compliant under the new rules? If your current procedures don’t meet the new regulations (in the areas that have changed significantly they probably won’t – we’ve highlighted those changes in this previous blog) start working on new processes NOW, so you can test them before May 2018.
Inform your staff – A huge amount of data breaches can be traced back to human error. Opening a malicious email attachment, visiting a misleading website, ignoring security patches or using poor passwords can all lead to data loss.
Depending on the level of organisational risk you’ve identified you may choose regular, formal cyber security awareness training or you may opt for a more informal approach. Ensuring staff have information on the businesses security procedures including password standards and any restrictions on the personal use of company IT equipment is a basic minimum standard.
Write it all down and understand it – You must be able to explain your data protection procedures to be legally compliant. Can you do this? Have you documented it? Start a Data Protection compliance folder and record what you’ve done. The ICO have said that they will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.
There are numerous areas that Your IT can assist with as you prepare for GDPR. From providing low-cost perimeter defence solutions such as antivirus and email filtering, auditing networks, replacing and upgrading hardware and software to guiding you through Cyber Essentials certification Your IT can help customers new and old progress toward GDPR compliance in a well thought out, structured manner.