With the imminent arrival of the GDPR on May 25th our GDPR practitioners are now heavily involved working with our clients to help them prepare, particularly with regard to all matters relating to cyber security, data backup and disaster recovery.
I therefore thought it would be useful to re-publish an article that I wrote last year, which shares 6 key steps that we would suggest all businesses need to be taking, if they have not already done so, to prepare themselves for the new legislation:-
1. Identify what personal data is held (which can be as simple as an individual’s name, email address or reference number), who has access to it and where it is stored. This could include in-house servers, cloud services, portable devices such as laptops, tablets and smartphones or removable media such as USB sticks.
2. Identify threats to this data, which could include things like cyber-crime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. Whilst most businesses have some policies and technologies in place to protect them against these sorts of threats, we often find that these were implemented several years ago, and with the fast moving nature of security threats, they are no longer fully effective. In addition many companies have a piecemeal approach of different technology solutions each designed to cover a specific security threat, but no “joined up” solution to make sure nothing falls between the cracks.
3. Invest in and implement the right technology to deal with insider and external threats to data. These days such a solution needs to include:-
• Virus protection
• Malware protection
• Ransomware protection
• A system for applying operating system and application security updates to servers, PCs and laptops promptly.
• Email filtering
• Constantly updated firewall protection
• Encryption of data in transit
• Data loss/leakage prevention technology
• The ability to remotely wipe data from any user device that is lost or stolen
• A certified system for securely wiping old servers and PCs prior to disposal
• Strong passwords or two factor authentication
• Regular network penetration testing
• 24/7 monitoring against threats
• Effective multi-layered data backup procedures
• Tested disaster recovery plans
4. Put together a new or updated data protection policy and train employees on it.
5. Put in place processes for ongoing user education for all members of staff around cyber security and data protection.
6. And finally, for the worst case scenario, create a breach notification plan, which will typically involve the Board, IT, PR, sales, marketing and HR to ensure that any breach could be communicated smoothly, accurately and with as little damage to the business as possible.
Should you need professional assistance assessing your readiness for GDPR or with the implementation of business processes and technology solutions to facilitate GDPR compliance, please do not hesitate to contact us on (01494) 444065 or email firstname.lastname@example.org