Getting started with GDPR

Digital City

Getting started with GDPR…

It seems we can’t even go a week without a new security vulnerability hitting the news, or a Company being hacked and losing personal data. This problem has gone on for years and Companies have been allowed to hoover up personal data unchallenged.

Come May 2018 it’s all change. The General Data Protection Regulation (GDPR) comes in to effect and will give EU residents more control over their personal data, regardless of where the organisation is located in the world. In short, if you are handling personal data belonging to an EU resident, GDPR applies to you.

Last year we published a Top 10 FAQ on GDPR, however since then the number one question we are now being asked is simply, where do I begin?

The good news is that this page is going to answer that for you, we have also opened up the page to comments where you can post your questions and we will answer them for you!

 

GDPR Process

1. Discover

The first thing you need to do is identify all the personal data that you are storing within the Company.

The best method of doing this is to start off by listing all the applications that your company is using, it’s good practice to list everything and rule them out afterwards, rather than miss something off the list that might cause you pain later on in the process. Once done consider what data is being processed by the application, for GDPR we are only interested in personal data, so click here to see a list of the things you want to identify.

Remember when listing the applications to make sure you include all of your Cloud based applications, Dropbox, OneDrive, any CRM tools etc… Keep in mind that just because your data is hosted in the Cloud, you are still responsible. So if Dropbox gets hacked, you are liable.

Once you have completed this exercise for your applications, repeat the process for all of your File servers and network shares. You might also want to include those users and devices who process data locally, such as the HR team.

2. Manage

The first step is to create a Written Policy; this will detail how personal data is to be handled within your Company. You will also be able define data retention periods and rules that govern your employees, this will prove very useful in the months ahead and will play a pivotal role when it comes to feeding back in to your employee training programmes.

When writing your Policy, keep in mind EU residents rights and what it would mean to your Company if you were to have a data disclosure. If you are storing data on EU residents and you really don’t need it then this is the time to get rid of it once and for all.

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erase
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Many Companies that we have worked with have also introduced a data classification policy and have detailed what rules apply to specific data, for example CLASSIFICATION 3: RESTRICTED – This data may not be shared externally, or copied to any portable media including memory sticks.

3. Protect

Protecting your systems will vary from Company to Company and there are many things to consider. At a minimum Companies should be looking at the following technology:

  1. Data encryption (transmission and at rest) – Ensure that data is encrypted even if stolen.
  2. Advanced Threat Analytics – Understand when users are logging in to the network and what they are doing, abnormal patterns are detected. How do you know if one of your employees is stealing your data prior to leaving the Company?
  3. Data Loss Prevention – Automatically tagging new data in accordance with your Company policy (Step 2 – Manage)
  4. System Patching and Health Monitoring – Ensure that systems are healthy and fully patched at all times.

4. Report

The GDPR requires Companies to report data breaches in certain circumstances within 72 hours of detection, along with notifications to individuals. For this stage you will need to appoint an internal employee as the Data Protection Officer (DPO) or appoint a virtual one who will be responsible for reviewing system logs and educating the staff whenever a breach occurs or is prevented.

Next Steps

We hope this article has been useful, next week we will be publishing a list of Microsoft Products and Tools that can assist you in every phase of your project to ensure GDPR compliance. In the meantime, if you have any questions feel free to post below and we will get back to you ASAP!

4 Comments on “Getting started with GDPR”

  1. There is some discussion on technical forums about data encryption and its usefulness. Primarily the argument is that usually when data is stolen, the hacker has administration access or access to the filesystem and the encryption key is therefore stolen too (whether the key is in the database or filesystem). What are you thoughts on this?

    1. Hi David,

      Personally, I’m a huge fan of data encryption and it’s definitely something that you should take in to consideration. When it comes to data encryption, you need to consider data at ‘rest’ and in ‘transition’.

      The first, data at rest, is data that’s simply stored on a hard-drive, for this we are huge advocates of Microsoft’s BitLocker, however there are other products out there. BitLocker will encrypt the entire hard-drive ensuring that if your laptop were ever stolen the data will not be compromised. Without drive-encryption, it really is very easy to extract the data off the hard-drive.

      Secondly is data in transition, simply put its when you share data between locations and people. Imagine you are sharing a file with an external party that contains sensitive information, the most basic form of protection would be to encrypt the data using WinZip or 7.Zip and then send a text message to the user containing the password.

      The levels of encryption can ramp up depending on the information that you are trying to protect.

      Regarding your specific question about the storage of decryption keys, yes these definitely need to be safe. With Microsoft BitLocker, they are stored in Active Directory and away from the end-users so are pretty safe!

  2. I’ve heard that I’m responsible for the data even if it it’s hosted in Office 365? How am I supposed to protect against this in the real world? Surely their security is already as good as it’s going to get?

    1. Hi Gump,

      Technically this is correct, however for you be compliant it’s about taking all reasonable steps to ensure data security. For example, if you kept records of individuals going back 20 years and had no real reason to keep these then you will definitely attract a fine. However, if its only recent data and you can demonstrate that you have risk assessed this and considered all mitigation options then you should be ok.

Leave a Reply

Your email address will not be published. Required fields are marked *