Data Protection Law and GDPR Changes
Unless you have been off grid for the last 12 months, I am sure you are aware of the General Data Protection Regulation (GDPR) that comes into effect on 25th May 2018.
There is a lot of negativity in the press about GDPR, but in reality, it is a good thing. It will allow you to have more control over how your data will be used, ultimately the changes will give you more protection over your data.
So, where do we start?
5 Key Facts About GDPR
The Biggest Change in 20 Years
Technology use is increasing and expanding, which while fantastic does mean the amount of personal data held about us is also increasing exponentially.
As part of the new GDPR rules, all companies must review, and where necessary, improve how they manage customer data. This data ranges from customer email addresses to employee bank details.
More Control of Data
The whole point of GDPR is to give you, the consumer, more control of your data and how it is used. This means you will have greater confidence that the information held on you is correct, securely managed, and only held with your agreement.
Consent is a massive part of the new GDPR requirements. If a company wants to contact you about offers, products or services, they must have your explicit consent. You should also get to choose how you are contacted, for example by email, phone or post.
Changing Your Mind
Under the new GDPR rules, you will be able to update your details and preferences on what you want to receive and how easily and without penalty. If you give a company, such as Piran Technologies, permission to contact you, it doesn’t mean you can’t change your mind in the future.
You can also request to be forgotten by a company who has your details.
More Protection for Your Data
All organisations are responsible for having the right processes and technology in place to protect you and your data, under GDPR.
If they are complacent and put your data at risk, or ignore any permissions given or not given, they will face heavy penalties.
GDPR Readiness Tips
As we already mentioned, GDPR comes into effect on 25 May 2018.
So, we have put together some easily digestible tips to help you get organised.
Here at Piran Technologies, we can work with you to make sure you have any technical requirements you need in place. If you wish to gain some accreditations to reassure your customers and your clients, we can also help you with that.
- Firstly, you should identify your role. Are you a data controller or a data processor? Are you an operator of an essential service or a digital service provider?
- You need to conduct risk assessments where appropriate, and then remember to act on the results.
- Your company needs to make it clear who is responsible for dealing with cyber and data security. You should appoint a Data Protection officer if you don’t already have one.
- Ensure you have up to date security systems such as firewalls, encryption and authentication and test them on a regular basis.
- Develop a cybersecurity policy and regularly check that it is being followed.
- Ensure employees understand the cybersecurity policy as well as how and when to report incidents internally.
- Restrict access to personal data to those in the company who need to have access to it.
- Develop a response plan for data breaches in case they may happen, including when to notify regulators (ICO) and individuals. It is important to think about how to handle this from a public relations perspective too.
- It is also a sensible idea to take out insurance in case there is a data breach, and you do get fined.
- You must keep records of any data breaches, what data was compromised and how the breach was dealt with as well as what steps were taken to ensure that type of breach does not re-occur.
- You should also make use of the government’s Cyber Essentials scheme and other regulator guidance on cybersecurity and data breaches.
Minimum technical measures under the GDPR
Business Grade Firewalls which are properly configured and using the latest software and regularly updated going forwards.
User access control management
Please note, that to comply with GDPR there should be no one person in your organisation with full access to all files and even your network administrator should have restricted access.
It is recommended that the network administrator’s normal user account and his/her account with administrator privileges should be separated and only used when appropriate.
Unique passwords of sufficient complexity to defend against dictionary and rainbow table attacks.
Regular software updates, if appropriate, by using patch management software.
Timely decommissioning and secure wiping (that renders data unrecoverable) of old software and hardware
Real-time protection anti-virus, anti-malware, and anti-spyware software
Encryption of all portable devices ensuring appropriate protection of the key
Encryption of personal data in transit by using suitable encryption solutions. This may include SSL and IPsec VPN connections which are appropriate for machine-to-machine connections, or PGP which is generally used for messaging, such as, e-mail.
Implement secure configuration on all devices (including mobile phones) using secure mobile device management systems.
Network intrusion detection and prevention systems such as network traffic analysis tools to detect and identify symptoms of malicious behaviour before a threat happens.
Secure Data backup & Checks by using a cloud-based backup system, there are added multiple layers of security across the infrastructure allowing secure access to files from the desktop.
Other suggested commonly adopted security practices
You should consider multi-factor authentication, especially for remote access. The second authentication can be a fob plugged into the device or through the presence of a business mobile phone.
It is also good practice to keep Wi-Fi passcodes confidential and change them regularly Generally, any Wi-Fi access to the company network should use WPA-TKIP which is a centrally administered authentication method that grants access only to authenticated users, such as staff.
You should also implement delinquent web filtering to prevent access to hazardous URLs.
Companies should comply with at least the standards advocated for by the UK Government’s Cyber Essentials Scheme.
You may already be doing a lot of the above items, as they are generally considered best practice – even before GDPR.
Get in touch with us to discuss this in more detail, or to help identify your next steps.
You can email us or call the office on 01209 340120
We would be more than happy to talk to you about GDPR or any other technology & security issues you may have.
There is also an accreditation available to help you understand the GDPR requirements. It is an ISAME (Information Assurance for Small and Medium Enterprises). Successful applicants will receive a certificate and a website/email badge to show that you are “GDPR ready” which includes Cyber Essentials and IASME Governance, all embedded in the one assessment.