18 Practical Tips for GDPR compliance
As a global leader in the buying, refurbishing and selling of data centre equipment, Techbuyer’s business spans the whole lifecycle of GDPR compliance. Our preparation took more than 1000 hours over three months. We wrote 18 comprehensive new policies and procedures; created and managed a full asset and access register for the hundreds of devices and computers; created a new CRM; implemented an internal helpdesk; executed file server migration; and carried out vulnerability and application scans, fixes and rescans.
We are sharing the simple, effective and low cost solutions we picked up along the way.
- Encrypted servers like Google or OneDrive are fine for data transfer. Enable the two-step identification process for extra security.
- Test how long it would take criminals to break your password using brute force methods at https://howsecureismypassword.net/
- Delete emails with sensitive information from the “sent” box after sending. This stops hackers accessing the information through your computer as easily.
- Cloud based services are a great GDPR compliant resource for file storage if their data centre is in the EU. One Drive, Google, We Transfer all have Data Storage sites in the UK. Dropbox is in the US and is not GDPR compliant at the current time. It expects to be so by May 2018 when GDPR comes into effect.
- A great resource for the road to GDPR compliance: the 165 question IASME will give you a comprehensive view of the areas you need to address to be closer to compliance. See https://www.iasme.co.uk/cyber-essentials-and-gdpr/
- Always look for the simplest solution with data management. If you limit employees’ access to information they do not need to carry out their job, you will minimise the time you spend on procedure writing, in-house training and background checks.
- Minimise the data you hold. Look at the contact form on your website: does it allow customers to give only one form of contact? Would it be easier for you if it did?
- Secure your wireless network with a password to protect it from opportunistic thieves.
- Secure against data theft from physical devices by ensuring laptops, tablets and mobile phones are remote wipeable.
- Look at levels of access for colleagues sharing the same computer and ensure that each person has a separate login. The more people have access to data, the more security, background checks and training you will have to put in place.
- For employees who have to remember multiple passwords, free password vaults are available for download online include 1password.com, lastpass.com and onepass.com.
- Always delineate between home and work passwords. You would not allow the same key to be used for someone’s house and your work building.
- Changing passwords too often increases the chance of people forgetting them. Check out password security on something like howsecureismypassword.net and stick with the one that would take hackers the longest time to break.
- Off the shelf website builders like Wix or Weebly will have their own security protocols built into the website. Check third party providers to see that they use https rather than http to ensure they are secure.
- Do your due diligence on third party suppliers of business software for aspects of the business, such as HR or Accounts. Check the supplier’s website to see that the organisation is GDPR compliant.
- There are low tech ways of protecting data. If you have paper copies of documents, a filing cabinet or locked drawer is a great solution.
- Are you a data processor? If you have CCTV footage or process information like pensions, you may well be. There is a data processing registration available from the ICO for £25, which will give you access to advice from the ICO.
- Ensure Wi-Fi networks are secure with the WPA2 security standard as a minimum.