In a recent blog I talked about the importance of understanding what data you hold and where it is stored, so that you can ensure that you are protecting it suitably in readiness for GDPR.
Today I wanted to elaborate on considerations around protecting your data. In preparing your pharma business for GDPR it is important to realise that as well as securing your personal data from external cyber threats, you also need to be securing it from insider threats.
So what do I mean by insider security threats?
Well this can be something like a rogue employee, or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.
Human error, or our natural tendency as human beings to take the easy option, is actually one of the commonest causes of such an incident, so it is good practice to put in place policies and controls that will minimise the risks of such an occurrence.
Password policies would be one such control. I’m sure for ease of memorability, we would all naturally tend towards an obvious password, but these are very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down – and having passwords recorded on sticky notes certainly doesn’t demonstrate due care of confidential data under GDPR!
Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to only give staff the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate.
Staff education is also vital in ensuring that your systems are not compromised by security threats like malware or ransomware, which are often transmitted via rogue emails.
Mobile working has also opened up a plethora of new challenges, and preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and data often being held on laptops to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen.
Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop, home PC, tablet or smart phone and may be unwittingly backing up or synchronising confidential and/or personal company data to an unsuitable or insecure location somewhere in the cloud. With many public cloud services hosted worldwide, it is important to realise that such practices can easily be inadvertently creating a breach of the GDPR, which imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.
Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email firstname.lastname@example.org