007 in “For Your GDPR Only”
When “M” has finished spymastering for the day, or pops out for a cheeky Nando’s, we always see her locking the “Top Secret” files away in the office safe.
Of course, we know that’s so no secrets will be discovered, even if an enemy spy (or the tea-lady) manages to gain access to M’s empty office.
In business, we now need to be like M, too…
GDPR is about paper records as well as digital
In a previous post we looked at Data Protection and the forthcoming General Data Protection Regulations (GDPR). However, we didn’t make it clear that the regulations don’t just cover to digital data stored on your IT systems and network but also apply to paper records too.
Any records that contain personal data, whether paper or digital, fall under the auspices of the Act, including the recordings from your CCTV cameras, phone systems (think “this call may be recorded for training purposes”) and biometric data, such as fingerprint or iris recognition systems used to unlock systems or grant access.
This means the files on your desk, the files in your filing cabinet, your paper archives as well as your electronic records—anything that includes personal data.
To start with, you need to ask yourself:
- Who has overall responsibility for the data you have and/or use?
- What data are you holding, why are you holding it and where is it held?
- Are your Privacy and Data Use Policies as good as they need to be?
- How long do you need to keep data and how will you securely destroy it when you no longer need to keep it?
- Who has legitimate access to it and who else can access it?
- How secure is your building, your paper records and IT systems?
- What happens out of normal business hours?
- Can data be exported and removed without authorisation (to a USB key, for example)?
- Is your network connected to the internet and how secure is your connection?
- Can your network be accessed remotely – is this secured?
- Is your electronic data encrypted so, in the event of a breach, data cannot be accessed and used?
- Can your network prevent unauthorised intrusion (hacking)?
- How do you manage Subject Access Requests, (when someone asks to see the data you hold about them)?
- How will you manage a data breach, whether it’s a hack, unauthorised file copy or unauthorised removal of paper records?
So, how can Bristol IT Company help?
There’s a number of ways that we can help you with the IT aspects of GDPR:
- Provide a complete inventory of all of your IT and data assets
- Test your network to see how secure it is and whether hackers are likely to be able to gain access
- Secure your network from external threats (hacking) and ensure that your remote access requirements are reliable, easy to use and secure.
- Secure your data inside the organisation and set things up so that only appropriately authorised employees can access the data they need to do their job and no more.
- Secure your network so that it’s almost impossible for data to be copied onto a USB key or external hard drive and removed from the organisation
- Put transparent encryption in place which means that it doesn’t slow anything down but is so strong that only GCHQ or the NSA would be likely to crack it.
- We offer a Data Protection Awareness course within our Security eLearning product to equip your staff with how to be GDPR compliant.