The General Data Protection Regulation GDPR is just around the corner, and by May 2018 your business will have had to make changes to the way you acquire, manage, share and delete data.
It replaces the 1995 data protection directive and the Information Commissioners Office (ICO) will enforce the legislation.
Steve Wood, head of policy development at the ICO confirms the policy is; “much the same as those in the current data protection act. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently”
The full General Data Protection Regulation is 88 pages long, consisting of 99 articles, but don’t worry, the ICO have produced a 12 step guide discussing the main points and they provides details on some positive actions you should take now. Wherever you are in your GDPR compliance journey we recommend you follow the ICO as they’re releasing some valuable information, we particularly like CEO Elizabeth Denhams’s “myth busting blogs”
The GDPR is a mixture of cultural, procedural, policy and technological changes, all with equal merit and importance.
Let me put some context around technological requirements;
Since 1995 technology and the way we share data is unrecognisable. In simple terms the bad guys have developed far quicker than our attitudes have to data protection. The GDPR is in our view timely and certainly a positive step for each of our businesses.
The threat of a hipster in a cereal café hacking your network and causing a data breach may seem a ridiculous notion, but it’s very real, and we need to be prepared.
Here are 7 simple steps you can take now to protect your data from a breach and move a step closer to compliance;
Education and GDPR
Understanding the threat landscape and the value of safe working practices is going to have a huge impact on any organisation. It’s almost impossible to protect against threats we don’t understand, so training and education is vital.
In GDPR terms an ongoing employee training program can minimise the risk of a data breach. Research from Data Shepherd confirms that 89% of data breaches come from within, whether malicious or accidental, it happens.
Upskilling the workforce is the first step in cyber-crime defence, what are the threats, how do they evolve, how do I know what to look for, what are the different attacks, and what can I do to help? An ongoing policy of cyber education can really make a difference.. The ICO will take a positive view on these actions in the event of a data breach.
Securing your network with a fit for purpose AV will have a strong impact.
It sounds crazy that this is still a conversation since AV has been around since the 80’s, but we still see organisations with no AV, or out of date AV. Make sure you’re managing your AV correctly and if you don’t have the resource, ensure you’re working with an IT partner that has your security at the very top of their priority list
3. Encryption and GDPR
Peter Brown Senior Technology Officer at the ICO said
“Encryption being a widely available technology with a relatively low cost of implementation is one such measure. The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data”
“A significant amount of the monetary penalties issued since 2010 relate to the failure to use encryption”
Encryption is specifically mentioned in the GDPR as a recommended technology. We’re not scare mongering, it’s in black and white.
Understanding how encryption could be used in your business is the next step. Ensure your IT partner understands your data processing activities and can develop a data security strategy including encryption software.
4. Automated Backup
What is the biggest threat to data security? It’s you, me and your employees.
Human error, be it malicious or accidental is the root cause of the majority of data breaches.
Why then do we entrust something as important as back-up to a human? There are countless examples of backups not being done, hard drives left in public places, sabotage, and many more.
With an automated back-up solution you can set the backup to run at an interval that suits your business and it just works. Less to worry about and some extra head space to focus on running your business or department.
Ransomware took 1 Billion dollars in 2016 and it’s growing in frequency and sophistication. Automated Backup is the number one defence.
5. Disaster Recovery
Article 32 of the GDPR states “The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” This is talking about disaster recovery amongst other things.
It’s so simple.
Once you’ve pressed go and automated your backup, the software sends the back-up offsite to a data centre. It sits here and incrementally updates, waiting until “a physical or technical incident” occurs and then it springs into life.
Depending on the size of your back up, in the event of a catastrophic incident you could retrieve your data back within 15 minutes.
“Restoring the availability and access to personal data in a” very “timely manner”
6. SSL Certificates
So far we’ve spoken about protecting your network and your data, but what about protecting your website? An SSL certificate is a bit of code on your web server that provides security for online communications.
When a web browser contacts your secured website, the SSL Certificate enables an encrypted connection, stopping the interception of any information. Ensure your IT partner has looked at this and has a plan for you.
7. Patch Management
And finally, you’ve made it this far so we’ll finish with a bang. What do Equifax and Wannacry have in common? Poor patch management could be attributed to each breach.
Patches are another word for updates. The hardware and software vendors release updates to fix bugs, add features, increase security etc.
Patch management is the process of working out how each patch will affect our business systems.
A recent example of this is the High Sierra update for Apple products. This had an adverse effect on early versions of Microsoft Office causing pain for thousands of employees.
Find an IT partner with the skills for patch management.
Thanks for taking the time to read through this guide.
Technology only plays a small part in GDPR. Please take the time to understand how it will affect your business. Consult with your legal team to discover what documentation and policies you may need to introduce or update. If you don’t have a legal team Greenfrog can help introduce you to one of our partners for a free review, visit our website for contact details, https://www.greenfrogcomputing.co.uk/contact-us/