The following are some relatively straightforward security measures worth considering:
The GDPR does not mandate the use of encryption technologies for securing all personal data, but does suggest that it be considered.
For example, the use of un-encrypted emails to transmit data is commonplace these days, but the encryption of e-mails and/or attached documents (e.g. password protecting PDF files) is possible and highly recommended for financial data. In addition, all data held on laptop computers and other handheld devices should be encrypted. (Note that encryption is something more than just a user name and password.)
Where possible personal data should be split into the identifying information of the data subject (i.e. name, address) and the further non-identifying data on that individual.
Each of the two sets of personal data should be held under a random identifier (i.e. “Employee 1”), so that only a person holding both sets of data can connect the non-identifying information
back to the data subject.
The use of the client portal is predicted to increase significantly as more and more businesses fall into line with GDPR.
When sharing documents with a client it is worth considering the use of a web accessible portal, which ideally should be able to store encrypted documents ready for clients to download.
Certification schemes can both check and prove the robustness of your cyber security. Examples of such schemes include the UK National Cyber Security Centre’s Cyber Essentials, Cyber Essentials Plus, IASME and ISO 27001.
A detailed list of examples of practical technical security measures to aid GDPR compliance
- Ensuring that IT security is properly managed and overseen an appropriate person in the firm with adequate support from IT professionals;
- Adequate Access Control is employed, including identity and access management;
- Intrusion Detection/Pretention and Data Loss Prevention Systems are put in place;
- Appropriate IT education to staff is undertaken. This includes demonstration examples of data unauthorised data access and malware;
- Employees and other users are required to change passwords on a regular basis;
- ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;
- ensuring all computing devices are regularly updated with manufacturer’s software and security patches;
- using antivirus software on all devices;
- implementing a strong firewall;
- reviewing vendor supplied software and updating default system, administrator, and root passwords and other security parameters to ensure defaults are not left in place;
- ensuring data backups are taken and are stored securely in a separate location;
- ensuring that data backups are periodically reviewed and tested to ensure they are functioning correctly;
- ensuring that data is collected & stored securely;
- ensuring that mobile devices (such as laptops and mobile phones and tablets) are encrypted;
- ensuring that two-factor authentication is enabled for remote access; and
- ensuring that websites have TLS (transport layer security) in place to securely collect personal data via web forms (such as for newsletter subscriptions) or on e-commerce
Examples of practical physical security measures to be employed at your firm include:
- keeping offices and storage units locked;
- keeping server rooms or cabinets locked;
- cabling desktop machines and laptops to desks;
- implementing clean desk policies;
- ensuring that fire and burglar alarms are in place and that they are functioning correctly;
- ensuring that ICT equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life;
- having specific and adequate insurance to cover the costs of any data breaches or cybercrime.
Managing cyber risk, either for practices or their clients, is not simply about managing data within the perimeter of the organisation. Therefore, it becomes necessary to document the security risks from your supply chain (e.g. cloud service provider), as well as your own organisation.
Testing your Cybersecurity and Disaster Recovery Planning should also be a key consideration to ensure GDPR compliance post May 2018.
For example, ask yourself if your company has a robust plan for the management of security incidents. If you are not confident, now is the time to assess that risk and implement the appropriate security measures that will allow you to deal with incidents within your own firm.