As we all know GDPR is the new buzzword and ever since its introduction in May last year businesses and companies have been keen to be on the right side of compliance especially given the heavy fines involved for non-compliance. But what IT steps should be implemented? Here are our GDPR top tips.
Firstly its worth remembering that GDPR relates to information and the storage of information so that includes all forms of data including analogue/written text as well as electronic. Whilst GDPR covers many specifics we have selected 3 things you should be doing with your electronic data & systems to help with compliance.
1. Upgrade to Windows 10 / Move
away from Small Business Server
Microsoft announced sometime ago end of life support for Windows 7 and Small Business Server 2008/2011. The final day of support is 14/01/20. Beyond this date Microsoft will NOT release any security patches or updates to these systems. Given one of the key elements of GDPR is ‘Secure data’ you would be considered ‘insecure’ if running these systems beyond this date and therefore non-compliant with GDPR.
This is our number 1 GDPR top tip - Get up to date!
2. Encrypt your data
Another GDPR Top Tip: Encrypted data means secure data. Lets imagine you take a backup of your Sage Accounts data onto a USB memory stick so you can pass onto your accountant, a bit old hat I know but lots of people still do this. The problem is this data is completely insecure. Lets imagine that USB memory stick fell out your pocket and into the hands of a stranger, it would be very easy to quickly ascertain the type of data and to quickly load this data into a blank Sage program – This person now has access to ALL of your Sage Accounts data including bank account numbers / named contacts etc.
Encrypting the data is basically password protecting that data – By doing
this you have secured your data against accidental data loss.
3. Need to know basis. Principle of
least privilege (POLP)
GDPR guidelines state that you should only allow access to information to
those that need it, so for example if you are copied into an email detailing an
order but you need to forward the info on to an outside resource then you need
to ensure that you only forward on the required information (or write a new
email). By simply clicking ‘forward’ then the outside resource has visibility
of all contacts in the chain – Those users did not give permission for their data
to be shared. The simple approach is to work on the principle of POLP &
only pass on data that is specific to the task and only to those that have an
obvious need to see that data.
Another example is a shared network drive that may contain details of suppliers, customers and employee’s data. Under GDPR you would need to ensure that permissions are set so that only authorised users can access this data, if you have an office temp working on a loan computer you would not want them to see HR records for the Managing Director for example.
As always to learn more on how we can help feel free to get in touch
