The General Data Privacy Regulation is a set of EU rules that changes how UK businesses handle customers’ personal information and other data. If you don’t manage and protect this information properly, you could be fined millions.
The GDPR will affect how companies get consent to collect information, how that information is used and organised and how it’s stored and destroyed. Failure to stick to GDPR rules could see firms fined up to £18 million. GDPR comes into force on May 25 2018.
To get you started on your GDPR journey, here are some suggestions for first-steps. This topic is so important, that you may want to seek professional legal and technical advice.
Get high-security shredders
Businesses should shred documents by default. This also applies to any handwritten pages or even Post-its. If you’re on the phone to a customer and taking notes, those notes might contain identifying information – perhaps an address or phone number. They have to be disposed of properly.
A few years ago an EU-standard of shredding was introduced. Called DIN 66399, it classified shredder security according to a ‘P’ rating from 1 – 7. The smaller the shredded pieces, the higher the rating.
A P-1 shredder would be a standard strip-style model. This is fine for non-confidential documents. The shreds mean that the average person wouldn’t be able to decipher what was originally on the paper. However, a really determined criminal could reassemble those strips in order to read the document.
For customer and confidential documents, you should use a P-3 confetti-cut shredder at the very least. As the name implies, you’ll end up with paper cut into small confetti shapes. Much harder to piece together and thus more secure.
But what if your office deals in really sensitive information? You’ll need a P-5 level shredder or above. This level of security is normally associated with destroying documents related to espionage and high-level government secrets.
Lock away physical files
A lot of discussion over GDPR has been about online security. Making sure your computers are running anti-virus software, that company phones can be wiped remotely and any files stored online are password protected and encrypted.
But physical security is also important. If you keep confidential information in paper form, make sure it’s protected. In the event of a breach, you want to show GDPR investigators that you took the matter seriously.
Lock all important documents in filing cabinets. For extra security, those cabinets could be in a separate room with a locking door. We recommend using a digital door lock that uses entry codes instead of keys – so they can’t be lost.
Keep a log of who has the codes or keys to the room. Neither should be shared or passed around without permission. If a document goes missing from a cabinet, you won’t have to speak to everyone in the company to figure out who lost it and to start tracking it down.
Use high-security digital storage
If you have to go on the road and can’t access files securely online, you may decide to use a USB stick or external HDD. Unfortunately, it’s easy for USB sticks and drives to be left in meetings, forgotten on trains or even taken out of pockets and bags.
That’s why all company files should be carried on password-protected storage. Even if someone manages to guess your login password, the files on the drive should also be password protected. Two layers of security.
If you have absolutely no option but to carry customer data on a USB stick, minimise the chance of a data breach by using a crypto drive.
These are USB sticks specifically designed to guard against theft, with features such as erasing files automatically after several failed login attempts and encrypting data when the stick is removed from a device.
When you get your USB sticks and external drives, label them per department and/or staff member. You want to be able to track who has the sticks and to sign the storage into and out of the office.
Secure your laptops and destroy old hardware
If your business has visitors, you need privacy filters for monitors in the office. These will stop passersby from reading anything on the screens – especially useful in receptions and shipping and packing areas, where names and addresses might be on display.
If your company uses laptops, use cable locks to secure them to desks overnight and when staff take them on the road. If you’re unfortunate enough to suffer a break in, it will be harder for thieves to take the computers and get your data.
If you are replacing your computers or upgrading components, you will need a plan for disposing of your hard drives and storage – that’s because wiping a hard drive doesn’t truly erase the information on it.
With the right software, someone will take that old computer and recover the files you thought you’d destroyed. Remove hard drives and keep them locked up (in the secure data room) or find a firm that offers hard drive destruction services.
Photocopiers, scanners and printers also have onboard storage – and they may keep images of all documents printed or scanned. This is another way that data thieves have breached company security.
Check with the manufacturer to see what steps you need to take before selling or disposing of a printer.
Remember that these are just tips and pointers. Your company’s compliance with GDPR will have to fit your firm’s particular needs, whether you’re a tiny SME or a major player. Your aim isn’t just to be compliant with GDPR, but to exceed its requirements.
That’s the best way to avoid an £18 million fine.