Unless you’ve been living under a rock for the last few months, you know about the General Data Protection Regulation and the new UK Data Protection Act 2018.
As part of their frantic preparations to be ready for GDPR, some people asked me what measures they had to put in place to keep data secure. The old law said you had to put in place “appropriate technical and organisational measures” but didn’t say what these were.
What does GDPR say?
GDPR preserves this requirement but now provides some basic guidance (in Article 32):
- pseudonymise and encrypt personal data
- ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- ensure you can restore availability and access to personal data quickly if there is an incident
- regularly test, assess and evaluate the effectiveness of your measures
This text seems to get shoehorned word-for-word into all the data processing agreements I see. But it still isn’t all that helpful from a practical level. The Information Commissioner’s Office – the regulator in this area – also has recommendations.
Often, organisations think about the technical data security measures and turn to their IT team. With almost daily stories of data hacking, it’s logical to think about data held in your IT systems. You should also consider the loss of a device which contains data. Or the failure to wipe obsolete devices when you dispose of them. Finally, the loss of hard copy records could also be damaging. So the ICO divides this in two: physical and cyber security measures.
– Physical measures
- consider locks, alarms, security lighting or CCTV
- how do you control access to your premises, and how do you supervise visitors?
- think about how you dispose of any paper and electronic waste
- how do you keep IT equipment, particularly mobile devices, secure?
– So-called “cyber security” measures
- system security – the security of your network and information systems
- data security – ensuring you hold data securely and have appropriate access controls
- online security – eg the security of your website or cloud services
- device security – your organisation’s devices including BYOD
– Practical steps
Many of these are still vague though. If you’re still at a loss, have a look at the UK Cyber Essentials and US StaySafeOnline which have some practical measures you can adopt:
- Use a firewall
- Establish strong passwords
- Choose the most secure settings for your devices and software
- Limit who has access to your data and systems
- Protect yourself from viruses and other malware
- Keep your devices and software up to date including security software
- Automate your updates
- Back up your data
- Keep a clean machine and restrict what staff can install on work devices
- Don’t open suspicious links in email, online etc
- Make sure you can wipe devices remotely
The techies I’ve spoken to are happy to have an increased IT budget but are quick to point out – rightly – that data security isn’t just an IT issue. Data breaches aren’t confined to hacking – they also occur because of poor processes or, frankly, laziness or ignorance. You should embrace data security around your organisation as a whole:
- carry out an information risk assessment
- appoint someone with day-to-day responsibility for information security with requisite resources and authority
- adopt an information security policy to prove you are taking steps to comply
- ensure your key people coordinate with each other
- consider what access to your premises or equipment you give to people outside your organisation
- put in place business continuity arrangements
- undertake periodic checks and update your security measures
- monitor your data security
- educate your staff
What about non-personal data?
Of course, these obligations extend only to the personal data. If you can segregate personal data from other data then you can adopt different measures for the two. If you bundle personal and other data together, that might not be possible. So you will have to adopt the same standards for all your data. You wouldn’t want to compromise any data but some data is more valuable than other.
That’s that then…
To summarise: sort out your people, processes and technology. If you don’t have the expertise, buy it in. Appoint a lawyer to review your contracts and policies. But remember, that’s still not enough. Make sure you appoint a data security expert to look at how you use your data. Beware snake oil salesmen offering you magical GDPR-accredited solutions. Thankfully now the dust has settled a little, many of them seem to have slithered off to their next venture.
Great, that’s GDPR sorted. Next we’ll look at the NIS Directive…