As we all know GDPR is the new buzzword and ever since its introduction in May last year businesses and companies have been keen to be on the right side of compliance especially given the heavy fines involved for non-compliance. But what IT steps should be implemented? Here are our GDPR top tips.
Firstly its worth remembering that GDPR relates to information and the storage of information so that includes all forms of data including analogue/written text as well as electronic. Whilst GDPR covers many specifics we have selected 3 things you should be doing with your electronic data & systems to help with compliance.
1. Upgrade to Windows 10 / Move away from Small Business Server
Microsoft announced sometime ago end of life support for Windows 7 and Small Business Server 2008/2011. The final day of support is 14/01/20. Beyond this date Microsoft will NOT release any security patches or updates to these systems. Given one of the key elements of GDPR is ‘Secure data’ you would be considered ‘insecure’ if running these systems beyond this date and therefore non-compliant with GDPR.
This is our number 1 GDPR top tip – Get up to date!
2. Encrypt your data
Another GDPR Top Tip: Encrypted data means secure data. Lets imagine you take a backup of your Sage Accounts data onto a USB memory stick so you can pass onto your accountant, a bit old hat I know but lots of people still do this. The problem is this data is completely insecure. Lets imagine that USB memory stick fell out your pocket and into the hands of a stranger, it would be very easy to quickly ascertain the type of data and to quickly load this data into a blank Sage program – This person now has access to ALL of your Sage Accounts data including bank account numbers / named contacts etc.
Encrypting the data is basically password protecting that data – By doing this you have secured your data against accidental data loss.
3. Need to know basis. Principle of least privilege (POLP)
GDPR guidelines state that you should only allow access to information to those that need it, so for example if you are copied into an email detailing an order but you need to forward the info on to an outside resource then you need to ensure that you only forward on the required information (or write a new email). By simply clicking ‘forward’ then the outside resource has visibility of all contacts in the chain – Those users did not give permission for their data to be shared. The simple approach is to work on the principle of POLP & only pass on data that is specific to the task and only to those that have an obvious need to see that data.
Another example is a shared network drive that may contain details of suppliers, customers and employee’s data. Under GDPR you would need to ensure that permissions are set so that only authorised users can access this data, if you have an office temp working on a loan computer you would not want them to see HR records for the Managing Director for example.
As always to learn more on how we can help feel free to get in touch