There’s been a lot of talk recently about GDPR, the upcoming change to the Data Protection Act that takes effect on the 25th May 2018. There are, however, a scary number of people/companies out there who have either not heard of GDPR, or think that it won’t apply to them for one reason or another.
A lot of the information which has been communicated has been related to scare mongering tactics and sales people promising the world with a piece of software to help the business become compliant with a few clicks of a button. Or people mentioning that if you don’t have every box ticked for GDPR compliance you will be fined huge amounts of money.
I’ve been reading a lot of articles about GDPR recently and unfortunately just about every article I have read talks about the data protection, fines, purging your mailing lists, right of consent and DPOs. But none of the articles I’ve read recently has mentioned anything about implementing and ensuring your cyber security is in place and working alongside GDPR.
GDPR is not just about ensuring you have your data governance, policies and procedure in place, it’s also about protecting your computer systems and devices which hold data plus ensuring information security best practices which is covered under step 9 of the 12 steps to GDPR by the ICO.
GDPR and the Data Protection Act (in the UK) before it, is all about ensuring that personal information is protected and that the company who manages and/or processes the information is doing everything in their power to protect it.
GDPR and cyber security is not just about ensuring that you have encryption enabled on your hard drives, but ensuring that you have best practices in place. Having controls and processes in place to ensure that users have awareness training, to ensure that they aren’t posting passwords on post it notes, that people use two-factor authentication where possible and change passwords, so they are unique on all sites. This can be done by using password managers to ensure that complex random passwords are used for each site. Some of the more popular ones are LastPass, 1Password, .
Utilising sites such as https://haveibeenpwned.com will also help ensure that your business remains safe, by informing you whether your email address (and potentially username/password) have been stolen from any sites. If you get such a notification you should change your details straight away.
If you are running a small business, looking at obtaining the Cyber Essentials with IASME governance certification will help provide guidance, assurance and show your customers and suppliers that you take security seriously.
Additionally, ensuring that your business controls are in place to consider and evaluate risk not only within your business but your supply chain. When was the last time you verified what your suppliers/partners where doing with your information? Ensuring that your entire supply chain is working towards GDPR compliance and utilising cyber security best practices will help minimise the overall risk and potential data breach.
If you carry out the above actions as part of your GDPR compliance work, there is also an additional benefit in ensuring you have achieved the above as it will also help your business towards ISO 27001 compliance.
A compliant network
Having a compliant network built up around your business is a handy solution to ensure that you are protecting your personal and corporate data. By ensuring that your network is doing their best to protect the data you can help add that extra layer of trust and protection, thereby helping to protect the reputation of your business should anything occur.
Building a compliant network can be as simple as sending a questionnaire out to your network and asking them several questions about how they protect data, do they regularly change passwords? Do they perform security audits etc.