Be Ready for GDPR
GDPR (General Data Protection Regulation) is on its way and it seems to have caused a flood of panic across the business and not for profit communities. I wanted to reassure you all that help and support is out there and it always has been. GDPR is not about IT systems, although IT support companies like Emerald can support and advise you to make informed decisions. GDPR is about data: the data you hold as an organisation; the people who come into contact with it; and the processes it does through. It’s important to remember that the premise behind GDPR has been crucial for a long time. Any business or organisation is only as good as the data it holds and therefore protecting that data has always been paramount.
GDPR gives this need to protect data a different spin. Rather than focusing on protecting the business or organisation from a continuity perspective, which is what Emerald have done since our inception in 2009; GDPR is concerned with the end user and how his/her personal data is being stored. We are all good people with good core values so it is right that we protect those who matter most to us: our customers, clients, employees, and suppliers.
A key step to ensure GDPR compliance is to write up a simple Privacy or Data Handling Policy and display it on your website. We have helped many of our customers write Business Continuity or Disaster Recovery Plans and similarly we are offering a free template for your Data Handling Policy, or we can work with you to write your plan from £149 ex VAT.
How do you store and process data on clients, customers, suppliers, employees?
Think of all the data you hold and where you store it. It’s important to involve your team members in this too as they may be storing things on their local PC or a hard drive that you don’t know about. Start a mapping exercise thinking about the questions below.
- Do you use third party software? You need to understand their data handling policy and what they would do in the situation of a breach to alert you / your contacts whose data they hold
- Do you have data stored in your own databases? This includes Sage or other accountancy software that you host yourself. What would happen if you suffered a data breach? How would you notify everyone?
- What flat files do you hold? These are Word documents, Excel files etc. Think in particular of HR contracts, referral forms, and other documents that contain sensitive data. How would you notify those whose data you hold in the case of a breach?
How do keep the data you store secure?
Thinking of all the ways you store data above, you need to detail how you keep it secure. This is best endeavours as, with 100s of new viruses being created every day it’s impossible to guarantee 100% protection which is why your policy needs to say what process you have to notify contacts in the case of a breach. Your policy can detail where the responsibility for the technical side of IT security is delegated to a third party like Emerald and we can tell you what we provide.
- Do you have a clear password policy with requirement to change passwords frequently and use secure passwords with upper case, lower case, numbers, and special characters?
- Do you have user restrictions on IT access? This is admin controlled centrally and can include the ability to print, the ability to use USBs, the ability to access blacklisted or unsecure websites, access to certain folders with sensitive information etc.
- Do you have security for your IT infrastructure? Anti-virus, anti-spam, anti-malware, and ransomware protection are really the bare minimum. Remember 100s of new viruses are created every day and ransomware protection provides a better level of protection against those viruses of the future by monitoring computer behaviour. You also need to ensure you have a schedule for running security patches and operating system updates
- Do you use a secure document sharing platform like One Drive or File Cloud? Do you know where that data is stored? Do you ensure you don’t send sensitive data like payslips and HR contracts by email?
- Do your mobile devices store personal information? Can they be remotely wiped if they are lost or stolen?
How do you inform those whose data you hold?
It’s important that everyone whom you hold data on or ask for data from knows how you store and process it, why you have it, how you ensure its security, and how you would notify them of a breach.
- Ensure your Data Handling Policy states how you notify contacts in the event of a breach and the internal procedures you have in place for employees to alert management to a breach or potential breach
- Ensure you have a documented record of your ‘lawful basis’ for storing and processing the data you have. Your Policy should include this. These are the key reasons below:
- Consent: If it’s an electronic opt-in to a marketing list for example you need to have a record of it and offer an option to withdraw consent
- Contract: necessary to fulfil a contract you have
- Legal obligation: necessary to comply with law (not contractual)
- Vital interests: necessary to protect someone’s life
- Public task: necessary to perform a task in the public interest or in an official function
- Legitimate interests: necessary for your legitimate interests or the legitimate interests of a third party
Please note the conditions for personal and sensitive data are different so worth checking on the Information Commissioners website.
- Personal data is any information that can directly or indirectly identify a person e.g. your email address, your home address, your job title and place of work
- Sensitive data is anything under ‘special categories’ which includes ethnic origin; politics; sexuality; trade union membership; biometrics; health information etc. Best to check the list on the Information Commissioners website.
If you would like any help from our team on GDPR or any other IT security issue, please contact firstname.lastname@example.org or call 01926 452462.
You can also download our free helpsheet on assessing your IT risks here.