General Data Protection Regulation (GDPR)

From May 2018 the new data regulations are coming into force from the EU – as it currently stands whatever happens with Brexit these will apply. It’s extremely important that they are taken seriously as the fines for non-compliance can be as high as £20 million or 4% Global turnover – whichever is higher.

Summary

The focus of the legislation is on personal data – the way It’s stored, collected and kept, as well as whom has access to it. If its stolen whilst in your care, then you could be liable for a big fine. Below is a brief overview of what you need to be doing.

  • Conduct a review of all the data you store, identifying all personal information that you hold (whether on staff or customers) as well as who in your organization has access to it.
  • Any data which doesn’t need to be held needs deleting.
  • Anyone that doesn’t require access to the data for their job needs to have access revoked. It is advised to document who needs access to it and why
  • You may be asked to provide all the information you hold on an individual – ensure you have procedures and templates in place ready.
  • Create documentation and procedures for the removal of data from your systems if an individual requests you to do so. This includes data that is held in backups – in instances when this cannot be erased systems need to be established so the backup is locked down.
  • All personal information needs to be encrypted in transit (Names, addresses, DOB, Phone Numbers, Pay Slips, NI numbers etc.) – none of these can be put into an unencrypted email, as a minimum they require password protecting.

 

  • Opt out permission is now opt in – permission needs to be gained to store and use information and this permission needs to be recorded and records retained and this is retrospective of any existing mail lists currently held.

For the moment these don’t apply to business information but its best practice to implement across the board. 

Our Role

We are not GDPR specialist solicitors, for customers with other 50 members of staff or with specific requirements you will need to seek expert advice. Many of our customers however have asked us to assist with their GDPR requirements and this is what this document seeks to achieve. This is advice only however and not a consultation – we will not be held liable for any claim made against you for not fulfilling one of your requirements under GDPR.

Areas we will offer advice:

Setting up company policies and documentation

  • Staff Training
  • Implementing required changes to your IT infrastructure
  • IT infrastructure meets security requirements
  • Backup requirements  Website requirements

 

We have been working with a specialist firm to get these documents drawn up ready to be implemented by our customers. There is still a lot of work to do to ensure your organisation meets the requirements but this should cut the admin time down considerably. We are happy to work in one of two ways:

 

 

  • Provide you with the documents to work through and apply to your organisation

 

  • To come onsite, assess the company and work through the documents on your behalf which would be charged at our normla hourly rate. NOTE: Even with this option you will still be given a list of tasks you will need to implement and maintain to be compliant.

 

There is a lot of documentation that needs to be put in place – below are just a few examples….

 

  • Pseudonymisation, Minimisation and Encryption
  • Retention of Records
  • Data Protection Policy
  • Training Policy
  • Privacy Policy
  • Subject Access Request Procedure
  • Personal Data Breach Notification Procedure
  • Consent Procedure & Withdrawal
  • Retention and Disposal Schedule

……….and many more (depending on your organisation)

Company Documentation

As part of our GDPR compliance we require “opt-in permission” in order to access your system to provide support (especially remote access). From your side you will also require a contract detailing what we have access to, why we need it and how we access it to ensure you are covered under the section of “who has access to the data and why”.

Updates & Security Holes (Inc CPU vulnerability)

Data security is a big part of GDPR. Every company has a legal responsibility to ensure they are doing everything they can to keep the data safe. This means that all software must be up to date with all the latest security patches. Whilst it’s possible to do this in house, it does need to be done regularly and records kept of the fact. We are rolling out a new system known as “Managed Workplace” to assist with this. It can be configured to run updates at a particular time (usually an evening when everyone has gone home) and provide a report stating that it has been done – which can be kept with the GDPR documentation. Incidentally Managed Workplace also offers many more services which are helpful alerting us to issues such as potential hard drive failures, if disks are getting full, unusual CPU usage indicating infection etc.

CPU HACK – http://www.bbc.co.uk/news/technology-42564461 As you may have read pretty much every processor currently in use has a major security flaw which the industry is expecting “to haunt us for years”. Software giants are racing to provide patches to fix these and unfortunately the fixes are reducing the speed of some machines by 30%. We are still recommending installing the patches and if users suffer a significant slowdown we will look at them on a case by case basis with suggestions.

Commercial Antivirus

There are many good free antivirus products out there and until recently we have been quite happy to endorse them – GDPR changes this however. If your system were to become infected and data compromised and it was found that your security system was a free off the shelf package, your position would be difficult to defend. We are therefore recommending that all business users now use paid for business grade security software – this links in with Managed Workplace and allows us to make sure its kept up to date and regular virus and malware sweeps are performed (again a report can be generated to confirm this and prove compliance).

Encryption of Hard Drives

The other physical weakness of a network is the hardware itself and the possibility of theft. \in an ideal world every hard drive should be encrypted but this may not always be practical. As a minimum we are recommending that all servers and laptops employ hard drive encryption – in the event of a theft or loss of a laptop none of the data would be accessible from the unit.

Backups

Backups going to external hard drives again need to be encrypted. Any data going offsite needs to be going to a safe and secure location (ideally kept in the UK or the very least Europe). We are recommending secure offsite backups to every company to help recover from “cryptolocker” type threat which is on the increase.

Privacy Policy

A privacy policy is required company wide but especially on your website. This will detail exactly what data is obtained and stored and how it is used. The guidelines state the following:

Your privacy must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child;
  • Free of charge.
SSL Certificates

SSL certificates give your website visitors assurance they are on your website and allows for data encryption. Depending on what information your site receives and gives out you might not necessarily require an SSL certificate under GDPR rules. That being said, google no longer looks favorably on sites that do not have an SSL certificate and your rankings will be affected if there isn’t one. An easy way to check is to see if your website does, is by typing in https:// rather than the traditional http://. If it reverts to the latter, or you get a warning red cross, then it doesn’t.

Newsletters

Any company that sends out correspondence to customers for marketing purposes now needs to be aware that the law is changing to an “opt in” system rather than “opt out”. Sending a newsletter out to a mailing list with an unsubscribe link at the bottom is no longer sufficient. Now customers have to specifically tick a box agreeing to be contacted in this manner and this consent needs to be logged and kept. The customer can remove this consent at any time and they then need to be removed from your lists, a mechanism for this to work therefore needs to be implemented.

 

Note: This applies to post and telephone as well as email!

Staff Training

Staff is the biggest challenge to ensure that GDPR is met. Many store passwords in their web browsers, and if they are company related then this is not good practise. If a program gets past your antivirus then it could download all of these and the hacker would have access to all of your accounts. There are free tools that perform the same task but also are secure. The areas we look to train staff in

  • Encrypted Storage of passwords (for website access)
  • Phishing detectors
  • Fake News Detector (often contain threats)
  • Pop Up and Ad Blockers  Scam Emails
Access Permissions

It’s the responsibility of every company to ensure that all personal data is secure and can only be accessed by individuals that have a need to use it. If during the course of an individual’s job they do not require access, then they should not be able to see the files. This will likely require some restructuring of your company’s network and how staff access the files, which we can assist with. Similarly, regular reviews should be conducted to check whether access is still required.

Encrypted Emails

It will no longer be legal to send emails with personal or sensitive data without it being encrypted first. Emails by their very nature jump all around the internet via lots of different servers until they reach their destination and can be intercepted. We have a plugin that works with Microsoft Outlook which will encrypt all attachments with a password. This password can be a default to all emails sent out or different passwords can be set for individual email addresses which will automatically be applied when emailing them.