GDPR – Tools to get you compliant
In our last article we discussed where you should begin, this time we are going to talk about some of the tools you can use to help you get you compliant and become a GDPR hero within your business.
If you recall from our previous article, there are four key phases to ensuring GDPR compliance:
First thing you need to do, is create a quick inventory template to start recording the type of personal data you have and where it is stored. When recording the data, you need to make sure that you capture everything, file servers, cloud applications, etc… don’t forget your backups wherever they may be! Take full advantage of Windows Search, start scanning those server locations and employee hard-drives, if using Microsoft Exchange, take advantage of the search tools, you will be surprised where personal data has ended up within your Company.
In short, you are looking for this:
- Email address
- Social media posts
- Physical, physiological, or genetic information
- Medical information
- Bank details
- IP address
- Cultural identity
In these locations:
- Removable media
- Log files
- Cloud applications
If you haven’t got time to create your own Excel inventory template, complete the box to the right and we will mail one over to you straight away.
Congratulations you have now identified all of your personal data in the step above, and now it’s almost time to take control. You may have identified some data during your discovery that is in the wrong location or in clear violation of Company policy, unless its critical just ignore it for the time being. It’s easy to start moving data around and preventing access for certain employees, however this is just a reactive task and we’re here to finally take back control, so unless it’s something really bad that you have discovered leave it alone and move on for the time being.
This phase is focused on creating the rules around your data, this needs to be done logically and calmly because once complete, you will need to communicate it to all employees within the business. Once done you can then move data to new locations and implement actual protection controls that will safeguard your data, which is call covered in the next phase.
For this example, let’s consider the hiring process within a Company. Applicants send in their CV’s to the HR Manager, the HR Manager saves them all to their desktop or network folder, which is backed up by the IT Team. The HR Manager reviews the CV’s sends them on to the hiring manager, who also saves them to their desktop or network folder while they review them.
It’s fair to say that we have now littered the local computer’s hard drive, network drive, email system and backups with personal data belonging to an individual who can at some point under GDPR request that you delete any personal data pertaining to them…. Good luck!
So before we start talking about Protection, we need to get our Policy’s right. In the example about this could be very straight-forward:
- All CV’s will be saved in to the following network location and not copied or e-mailed
- All CV’s will be deleted after 6 months
Okay, so the above example was quite simple, however it doesn’t have to be overly complex, keep in mind that this is an evolutionary process and over time your controls will get stronger and stronger. Just by having your personal data identified will enable you to take steps to focus on problematic areas.
When creating your polices, consider these points:
Now that you have successfully identified where your Personal data is located and have created the Policies to govern how this data is used its time to start protecting it.
The protection mechanisms will vary from Customer to Customer, unfortunately it’s not one size fits all and comes down to the Company size, complexity and what you are protecting. Here are some key considerations for you when implementing controls to protect your data.
Protecting your data:
- Physical data centre protection
- Network security
- Storage security
- Compute security
- Identify management
- Access control
- Risk mitigation
Monitoring for and detecting system intrusions
- System monitoring
- Breach identification
- Calculating impact
- Planned response
- Disaster recovery
- Notifying DPA & Customers
The market is filled with products that are all aimed at ensuring GDPR compliance, however the truth is that none of them are the silver bullet, and to actually achieve GDPR compliance it’s going to take a number of tools and will be an evolutionary journey.
If you are a small business, I really strongly suggest taking out a subscription to Spring’s Protect, a subscription service that will ensure all of your desktops and servers are monitored and maintained 24/7/365, whereby critical security patching is taken care of and monthly reporting provided that is completely in-line with the Governments Cyber Essentials and ISO27001 – Information Security standard.
If you are the Data Protection Officer (DPO) for your Company, it’s important that you have your finger on the pulse at all times. Who has been accessing, what, where and when. Reporting is going to be critical to your success in this role, however it’s also important that you don’t end up getting bogged down in log files.
In Phase one, you identified the data owners, these are the people that will help you in your role of DPO. Consider sending alerts to the data owners as well as yourself. For example, it’s possible to block certain emails from ever leaving the office that contain certain words or number patterns (Bank details, national insurance numbers) and send an email to the employee’s line manager. This will ensure that you don’t have to act on every instance, however you will get full visibility of what’s going on and can review what’s working and what isn’t within the Company, which is really what you are supposed to be doing.
Some of the types of records that you need to consider keeping are:
- Audit logs
- Cloud services logs and documentation
- Breach notifications
- Handling data subject requests
- Governance reporting
- Compliance reviews
A tool such as Spring’s Protect can greatly assist with this by demonstrating and ensuring compliance against a number of technical controls, such as ensuring the Firewall is always on, anti-virus is up to date and configured on all machines etc…
Don’t let this overburden you, trawling through logs every day it not the answer and will actually make things worse, always keep in mind that we are focusing on the data you identified in Phase one. Here’s some things to consider:
- Purpose of collecting, will it help
- Classification of personal data
- Third-parties with access to the data
- Organisational and technical security
- Data retention times
In the next article, I’m going to write about Cyber Essentials and why this is something that you should consider for your business as a starting point for IT Security. In the meantime if you have any questions, post them below and wewill get back to you as quickly as we can !