Data Security and GDPR regulation

Needless to say, data security is a broad topic. For your convenience, we have broken it down into bite size sections.

First, let’s cover data security for data that has been printed out e.g. printed emails, invoices, documents, reports etc. Therefore, we have summarised those for you in data security for paper documents.

General security principles around the systems and software

Before getting to the security of the data that is held on a computer and in software systems, let us first look at some general security principles around the systems and software itself. Given their overall importance in securing your data, those are also relevant and called out in the GDPR regulation. We have summarised those for you in security principles for systems and software.

Data Security – What to consider

Only a holistic and comprehensive approach results in a secure environment. So the appropriate security measures on systems & software should be combined with specific measures to secure the data within those. Therefore, the most essential data security practice is data encryption. One should ensure that personal data is always encrypted both when stored and when transmitted, and that appropriate access control and backup procedures are in place.

Last but not least, we want to emphasise the importance of not overlooking the human factor as it has been proven over and over again to be the weakest link in a security and privacy defence.

It is important to teach and to ensure the right security & privacy habits in the day-to-day running of your business. There are lots of online learning platforms that offer Security Awareness Trainings and Data Privacy Trainings at very affordable prices. Ensuring that all new joiners and all staff, at least once a year, go through those training courses is essential to running a secure and privacy compliant operation.Therefore, it is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practises.

Consequently, do check in with your software vendors and IT teams on the topics outlined here. We have listed some questions below to start the conversation:

  • Do we enforce strict password rules on our office computers / laptops?
  • Are the drives on the office computers / laptops / servers encrypted and backed up?
  • Can we enable two factor authentication to login into systems and software?
  • Do we have access control set up on systems and software in line with industry’s best practises?
  • Can we implement password manager software so all staff can manage passwords securely?
  • Do our mobile phones have a remote wipe function?
  • Do we maintain a managed list of all systems and software we use along with the security arrangements employed?
  • Do all our systems and software have the latest security patches applied?
  • Do all our systems have anti-virus software installed?
  • Can we schedule periodical Security Awareness Trainings and Data Privacy Trainings for all staff?

 

For more GDPR-related information, see our GDPR Knowledge Base on Data Security or our post on GDPR Compliance checklist for the SME.

Also, feel welcome to check our Free GDPR Policy checker, check if your Policy is compliant.