IT and Data experts nTrust help us to understand the importance of being ready for the EU’s new General Data Protection Regulation
In May 2018 sweeping new General Data Protection Regulations (GDPR) come into effect and are expected to have an immediate and serious impact on all businesses that handle ‘personal data’. If you haven’t made preparations yet then you’ll want to read on…
This new legislation affects us all and is being implemented to protect the personal data of EU citizens, in other words, OUR personal data. We are being given increased rights and protection, and this legislation will apply even after the UK leaves the EU.
There will be significant fines for the worst data breaches, intentionally set high enough to hurt, so that organisations sit up, take notice and put controls and measures in place to prevent leaks of personal data.
From May 2018, the duty of care will fall upon any organisation that processes or stores our personally identifiable information (PII) – our employers, people we buy from, people we sell to, people we partner with, welfare and educational organisations, sports and leisure clubs, whether charitable, commercial or voluntary. The Data Protection Act 1998 was introduced to give such protection, but the rapidly increasing incidents of personal data leaks demonstrates that the existing legislation is not good enough. The list of serious data breaches announced in 2017 that affected EU citizens is long – Uber, Yahoo, Equifax, BUPA, Tesco and MumsNet, to name but a few.
Where to begin with GDPR?
This legislation affects all businesses. The sooner you prepare, the better. You need to be aware of your responsibilities and ensure that your employees, partners and suppliers are also aware of theirs. You need to build a culture of privacy throughout your organisation. Anyone and everyone who has access to your business data is responsible for storing, handling and sharing files containing PII securely. Ideally your business documentation should make these responsibilities clear, whether employees, partners or suppliers. You may need to seek legal advice over inserting the appropriate clauses within contracts and agreements.
Russ McKenzie, Managing Director of IT consultants, nTrust Systems explains, “An essential first step is to undertake a data audit to identify everywhere that you hold your business data, as well as data for your clients.” This will form the basis for further actions you need to take. For a free plain-English guide, click GDPR and its Implications.
Where is your business data? Do you have a data asset register?
Your business data is very probably your company’s greatest asset and you need to think carefully about its security. Who do you place it with and how much control do you have over it? Find out where data is held both within your organisation and outside of it (eg backups, with third party providers) and also how you share information (eg Box, Dropbox). Obtain written confirmation that any such organisations take privacy seriously, ideally checking for the Cyber Essentials logo.
Create a Data Asset Register if you don’t have one.
Why do you hold data? What do you do with it? How long will you keep it?
Organisations have to identify one or more of 6 ‘legal reasons’ for holding personal data.
If none of the specified ‘legal reasons’ apply, then you must seek express permission from the data subject.
Who has access to your data? Who needs access and why?
As EU citizens, our new rights under GDPR apply to any data from which we can be identified, whether it is on paper or stored electronically.
Every organisation needs to know exactly what PII it stores, where it is stored, who has access to it and who it is shared with. One of the biggest changes is that responsibility for protection of this personal data is no longer just with the Data Controller, but in future will lie also with Data Processors. Data processors are any individuals who process or store data on behalf of the Data Controller – all will be accountable for compliance. You need to identify who processes data within your organisation and ensure that they are aware of their responsibilities, giving them basic training if necessary.
To ensure security, it is best to ensure that only people who need access to data, have access to data. Best practice where sensitive data is concerned is for data processors to have individual user names for log-on with unique passwords.
What do you currently do?
Think about current practice in your organisation and if you have any doubts at all about data security, seek expert advice from a specialist IT consultant experienced in this field.
Laptops and data sticks – many data breaches happen because employees lose laptops and data sticks. There is no reason to stop using such devices, but you need to put security in place, particularly if they hold personal or payment data.
Best practice for laptops is Private Cloud Hosted Desktop as there will be no sensitive data stored on the laptop. Alternatively, the data on laptops and memory sticks can be encrypted to avoid a data breach should the device fall into the wrong hands.
Internet access – using secured connections, not open wi-fi when working away from the office
Email – is not appropriate for sending files containing sensitive PII. Email is effectively an open letter that can be forwarded by anyone to anyone. The file will stay on the outgoing mail server and the incoming server unless specifically deleted from the server itself. Deletion of a file from your outbox/inbox does not usually delete the data from the server. If the server is inadequately protected, this data can be hacked.
Best practice for sharing sensitive files is to use Private Cloud File Sharing.
However small your organisation, you must be able to show how you comply, not just that you comply. This may be quite a step change for many.