The General Data Protection Regulation (GDPR) replaced the Data Protection Act in 2018. The core objectives were to provide individuals with enhanced privacy, all made possible courtesy of a set of new rights.
The connotations for businesses were fairly far reaching, with various changes needing to be implemented across data collection and storage processes, as well as marketing practices.
In short, businesses had to ensure that any information stored on individuals was readily accessible, that the reason for collecting and retaining it was viable, and that data would not be retained for any longer than was completely necessary.
What data does the GDPR cover?
The GDPR covers all the data any organisation stores. As well as physical records, this means data kept on servers, in the cloud, on individual PCs, on portable media and on mobile devices.
Keeping such data safe all of a sudden became a hundred times more important when the GDPR was introduced. As did being able to demonstrate evidence of data security measures and processes put in place to mitigate the risk of data breaches.
Any breach must be reported within 72 hours to the Information Commissioner’s Office (ICO). Fines of €20 million or 4 per cent of annual global turnover, whichever is higher, are what businesses face should they fall short of compliance.
What are businesses responsible for in terms of GDPR and IT?
It is the responsibility of individual companies to ensure sufficient cyber security measures are in place to reduce the risk of a data breach. Your aim is to reach a level of confidence that you have done all you can to install adequate security measures, to educate staff and to prevent and contain breaches.
The following is a quick-check summary of the typical measures you should be adopting in order to keep your information technology secure and GDPR compliant:
- Understand what cyber security is and how it works.
- Ensure you have appropriate, up to date antivirus and firewall software installed across all devices, including homeworker devices.
- Be sure to install all available software and security updates; enable automatic updates so there is no room for error.
- Install a strict password policy within your organisation, including outlawing password sharing, and make use of a secure password generator and vault.
- Use a tiered system to set restrictions as to who can access and share certain information on your systems, so that you have better control and a clearer audit trail.
- Immediately change passwords and reset system permissions when a member of staff leaves. Be sure to reset building access codes too, or change locks as appropriate.
- Encrypt any sensitive information, particularly on portable devices and that sent via emails.
- Run regular online backups so that you have access to a recent copy of your data should an incident occur.
- When deleting data once the retention period is over, make certain that it is completed erased from all hardware as well as cloud storage.
- If you are using a cloud based storage and backup system, ask the provider to furnish you with their own GDPR policy so that you can do you due diligence and ensure they are as compliant as you are.
- Train staff to ensure they are fully aware of data breach and cyber security risks. Be sure to include training on every new staff induction, and include regular refresher training to keep everyone up to date.
- Take care when sending emails that only the necessary information is being shared, and with the right recipient.
- Keep up to date with and share details of all the latest phishing scams so that everyone is aware of the current risks.
- Pay attention to physical security measures such as CCTV and access control, which are just as important for protecting data as cyber security measures.
- Make sure that your IT support company is GDPR compliant and that they sign an agreement with you concerning data access.
GDPR compliant IT support from PC Docs
At PC Docs, we offer a comprehensive package of GDPR compliant IT support services, together with a range of cyber security solutions, all of which can be tailored to suit your individual business needs.
To discover how we can help protect your business against costly data breaches, and for a copy of our GDPR compliance policy, you are welcome to get in touch.