GDPR Week 4 – Best practice for ensuring data security
Click The Arrow For The Table Of Contents
Iit’s already week four of our GDPR journey together! You are probably bored of us banging on about the things you need to do to be compliant but do keep with us. We are nearing the end! Many of you will have already started to tackle your GDPR responsibilities and be well on your way to being compliant. For those who haven’t…there is still time to get a plan in place. Even if you are not completely ready by the 25th of May, having a corrective plan in place will help your cause so don’t panic.
This week we will be focusing on best practice for ensuring data security. Under the new GDPR rules you are responsible for how your data is stored and protected. Below are some to prepare your online systems for GDPR.
Recommendation 1 – Have good Backups with a regular restore to confirm that the data is corrected
Backup is like an insurance policy, you don’t want to pay for it, but you must have it in case the worst should happen. As part of your disaster recovery solution, you should already be creating and storing a backup of your data with a copy being held off-site. GDPR builds on this best practice by making it a requirement for you to be able to restore your data promptly in the event of data loss or corruption.
We have two recommendations to help satisfy the extra responsibilities:
- Use a cloud backup solution called Datto. These systems are incredibly smart and offer excellent data resilience.
- Perform regular test restores. It is one thing having a backup…it is another to know that it will work when you need it. Don’t wait until you’re in a disaster recovery situation to find out if your backup works!
Recommendation 2 – Protect network access by Separating Corporate Machines and devices from personal devices
Who doesn’t like a bit of free wi-fi? It saves your data allowance and probably gives you faster speeds etc. So, it is evident that most people will connect their mobile phone to their work wireless network or a visitor might ask for access. The problem with this is that you now have lots of additional unknown devices connected to your system. Under GDPR it is you responsibly as the data controller to know who has access to what on your network, so it is not a good idea to have personal devices on your corporate system.
If you still want to allow personal devices access to your internet connection, we can create a separate guest network for your employees and visitors to use. Which stops them from being able to see any of your corporate machines and so removes any risk they might pose. Most of you will already have this facility…it’s just a case of switching it on. If you would like us to do this, please let us know.
Recommendation 3 – Create a secure area for sharing data with third parties (Subcontractors/Suppliers.)
Sharing data with third parties is often a vital aspect of most businesses. GDPR, however, changes the relationship you have with third parties making you both liable for the protection of data you share. Which means that you have to think about the systems you use to pass on information and how you secure access to these systems.
If you are regularly exchanging information with a third party, we recommend that you adopt a secure storage area which has access controls. Which enables you to keep full control of your information! We have many solutions tailored to different needs so if this is something you are interested in; please do get in touch.
Recommendation 4 – Check your marketing data to ensure it conforms with the GDPR Requirements.
No one likes junk mail, and one of the more publicised parts of GDPR is how it now protects consumers against receiving unsolicited marketing. Great news for consumers but adds a few requirements for any of you who perform this kind of marketing activity. You will need to get renewed consent for all of you existing marketing contacts. The ‘gold standard’ of consent is called double opt-in. Which means that in addition to a customer signing up through a web form they need to confirm that they wish to receive your correspondence by clicking a confirmation link in a follow-up email before you can market to them.
We recommend that you use your existing email marketing system to send a new opt-in email to all of your existing contacts using the new consent model. Remember you will be unable to use current lists after the 25th of May if you don’t do this!
