GDPR – Security
Security is both a key principle of GDPR for controllers and processors alike, and a key area of EJC’s involvement in our clients’ compliance: a large part of data security inevitably has roots in technology.
Every aspect of your processes should be considered – there’s no point having sophisticated software and systems, only to write the password in big letters on a whiteboard for everyone to see! The cliché of a chain only being as strong as its weakest link is certainly fitting with regard to security.
Please do talk to us about anything you’re unsure about, but in the meantime our detailed GDPR security notes are below.
GDPR requires personal data to be processed in a way that ensures its security, protecting against both unauthorised or unlawful processing and also against accidental loss, destruction or damage – leaving an unencrypted laptop on a train is now even more unacceptable than it used to be.
There’s no expectation that all data is always safe – it simply isn’t – but GDPR requires you to put appropriate technical and organisational measures in place.
How EJC helps
We take security seriously and advise clients about best practice right from the start of our relationship. We ensure up-to-date software and hardware are used and help to identify and correct weak spots (for example, a lot of people will have strong security and passwords, but forget to secure their phone – which will almost certainly have instant access to email accounts). We ensure that appropriate patches and updates are made as and when they are available and backup systems provide protection against accidental loss and destruction. At the same time we can build redundancy into systems to account for potential damage.
Secure your data
Data security applies everywhere: in your office, in the cloud, or when you or your staff are away, whether at home or on the move. Even if someone breaks into your offices, or steals equipment in other ways, they still shouldn’t be able to access your data.
All devices should be password-protected. Important servers should be stored in separate rooms with extra security. Mobile devices should be set-up to enable them to be disabled and wiped remotely. You should also have clear policies about whether and how untrusted devices can connect to your network, as well as how you use work devices on untrusted networks – using your laptop on a cafe’s wifi, for example.
How EJC helps
Our clients have a mixture of in-house and hosted servers, cloud services, and we take care to ensure that the appropriate security measures are in-place for each situation.
But, every device which can access your data provides a potential breach point. We therefore insist on reviewing and securing each one. A common problem we encounter is people using home computers to access office networks without considering the possible risk, or accessing email on unsecured mobile devices. We implement appropriate guidance and security measures for your protection and safety.
Whilst there is no ‘silver bullet’ for data security, the government-backed Cyber Essentials scheme helps to protect organisations against online threats. It covers five key areas to ensure you keep information secure:
- Secure your Internet connection – make sure you have an appropriate firewall installed and configured, and protect against malicious websites
- Secure your devices and software – only install the software you need and make sure it is correctly licensed. Password-protect, and where necessary encrypt, your devices and software
- Control access to your data and services – they should be on a ‘need-to-use’ basis – most people don’t need administrator accounts, most people don’t need to access all of the data your company controls. Use password management software and two-factor authentication for added security
- Protect from viruses and other malware – install anti-virus software and keep it up-to-date, and make sure you understand what you’re installing on your computers and mobile devices
- Keep your devices and software up to date – updates to software are regularly released, and should be installed; when software stops being updated you should consider alternative options
How EJC helps
Cyber Essentials covers just that: the essentials. As part of our onboarding process with a new client we ensure each of the five points is covered, and also – importantly – continue to keep your systems up-to-date. By way of an example, none of our clients were affected by the well-publicised ransomware problems which hit, among others, the NHS in 2017 – because we made sure their systems and software were all updated, protected and safe.
Many of the requirements on organisations are already part of EJC standard operating procedures, including when we install new computers, firewalls, servers or users. However, some may require tighter control of your infrastructure, more management oversight or a more formal approach to key processes.
If your systems are a few years old we can help you to perform a security audit to review each of the key Cyber Essentials points, and make sure that the protection you previously put in place is still valid and adequate.
EJC can help you to can complete the certification process quickly and efficiently.
One of the biggest changes to data management and security in recent years is the shift from in-house servers to cloud hosting and management: rather everything running from servers in your office, your files and applications are increasingly stored in a third-party’s facility and you access them via the internet.
Whilst this provides a lot of convenience and in many cases added security, there is also the risk of data breaches because the personal data you control is located with a third party.
You must ensure written contracts with all third parties, and be confident that the data they process and manage for you is secure. You should also use secure passwords and two-factor authentication when accessing the data.
How EJC helps
Cloud infrastructure is a critical part of most of our clients’ business – it has many advantages, but as with any technology it comes with risks if not carefully managed.
Firstly, and importantly, we only recommend third-party providers who we trust, and have performed due diligence on to satisfy us that they take security seriously and have appropriate measures in place.
We install and set-up cloud systems on clients’ computers and mobile devices, advise on password management and two-factor authentication, as well as providing training and advice where necessary to ensure you are fully aware of your own responsibilities with regard to security.
Backup your data
Loss of data is a breach of GDPR as well as potentially damaging to your business. It’s also unacceptable with the technology available today: no longer do you have to remember to change backup tapes and take them off-site; backups can and should be performed continuously, automatically and seamlessly.
Malware and ransomware can prevent you from accessing your data – often encrypting it and only allowing you access again after you pay a ransom demand.
It is essential to have a robust data backup strategy in place, and stored in a place where they are not permanently visible to the network – there’s no point having a backup system that can be encrypted or destroyed by the same ransomware or malware that affects your main IT system. There should also always be at least one, up-to-date version of your backup stored off-site.
How EJC helps
Backup systems are an absolutely fundamental part of the EJC service, and an area on which we do not compromise.
Your data is backed-up automatically on-site. This means you don’t have to worry about changing back-up tapes (like in the ‘old’ days!), and the data is easily accessible if there are any problems.
Because data problems aren’t always technical (e.g. data-loss can be caused through fire, theft, flooding etc.), we synchronise your data safely via the internet to our own secure storage system.
This means that your data is always safe and there is no human-intervention needed to make sure it’s backed-up. As soon as someone has to remember to run a back-up there is the risk they will forget.
If you do lose any data then it is quick and straightforward to recover from either your local disk or from our secure servers.
Train your staff
Human error, lack of knowledge and understanding, or risk/shortcut-taking are all common security problems which must be addressed. Your organisation is responsible for any data loss, and your staff should be fully aware of their responsibilities.
Security should be built in to all aspects of your systems and activities, and staff should understand that data security is not a fad to be ignored, but as important as setting the alarm and locking the office doors at the end of the day.
Regular training, combined with ensuring the right security tools and information are available, is a key part of your responsibility whether you are a data controller or processor.
How EJC helps
We make sure you have the proper software installed and that your staff know how to use it. Through our service desk we also provide an immediate point of contact where your staff can ask us questions, check issues and generally make sure they are not making any IT security mistakes.
We also send out regular bulletins with security updates and warnings, and can provide specific training either to individuals or groups to ensure you are fully aware of your security responsibilities.
Keep an eye out for problems
It isn’t enough to install good software, brief your staff and then assume everything will be fine forever. You should monitor security software logs, messages and other reporting systems on a regular basis, and act on any alerts which are issued by these services or other third-party providers.
How EJC helps
We do most of this for you: as well as maintaining and updating your systems, we will receive alerts about access attempts, failures or other problems and in many cases the problems will be fixed before you are even aware.
Our service desk also provides a point of contact where you can let us know about anything you spot for us to investigate. We also advise you talk to us before taking any action: there is a risk, for example, that the email alert you received asking you to change your password could be a phishing attempt, and so we encourage you to check with us before making any changes to your setup, especially if they are unplanned or unexpected.
Know what you should be doing
As well as being aware of your responsibilities during normal day-to-day business, you should also have a clear plan and understanding of what you must do if there is a data breach or loss of any kind.
This includes what immediate action you must take after a breach, who to notify and how to resolve the resulting problems. You should have clear acceptable-use policies and training materials for staff to ensure they are aware of their data protection responsibilities.
How EJC helps
We can help you to understand how your systems work, where the risks are, and what you need to do if there is a data breach. We can help you create and update policies, explain them to staff, provide ongoing support and be available to you if you have any problems.
Minimise your data
Under GDPR you are expected to only retain personal data that is accurate, up-to-date and kept for no longer than is necessary.
How EJC helps
We can help you implement retention policies: how long emails, files and other data should be stored for before being deleted or securely archived, where they are stored, how they are accessed, and by whom.
More on GDPR
Need more help?
GDPR can seem pretty daunting. If you'd prefer to just talk through it, click below or call us on 0370 600 9700.
We can arrange an appointment to give you more information and discuss where we can help.
The Information Commissioner's Office (ICO) provides both comprehensive and straightforward advice and information on GDPR. Here are four useful links to make sure you fully understand your responsibilities:
The ICO's quick twelve-step overview to GDPR
Full and comprehensive guidelines from the ICO
Step-by-step checklists to make sure you've covered everything
A series of GDPR 'mythbusting' blog posts from the ICO