A Guide to the Security Principle of the UK General Data Protection Regulation and What It Actually Means for Businesses
This is certainly not the first article about the UK General Data Protection Regulation (UK GDPR) but there is a lot of, in parts even contradictive, information about it and it still is a relevant topic – hence this page. For this post, the main source will be the webpage on Security by the Information Commissioner’s Office.
In summary, GDPR explains the general data protection regime that applies to most UK businesses and organisations. Covering each of the data protection principle, right and obligations, it summarises the main points to consider regarding individual rights and personal data breaches, accountability and governance, security and the basis for processing. As IQ in IT’s main focus has always been security, a huge part of this article will focus on that. Please feel free to check out the original resource here: Guide to the UK General Data Protection Regulation (UK GDPR) | ICO.
What is personal data?
Let’s start by explaining what ‘personal data’ actually means. The UK GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. The natural person is considered as identifiable by “reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity”. In short: a natural person is an individual who can be identified or who is identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information.
Do you have a risk policy in place? How often is it reviewed and who is doing the audits? These are questions worth asking when looking into data protection – as part of the GDPR compliance and outside the scope of it. The goal is to build a culture of security awareness. Let’s have a look at the different factors to consider when analysing Cyber Security Risks and how to deal with them.
The chance of sensitive data, funds, or corporate processes being disrupted online is known as cyber risk. Cyber hazards are most usually connected with situations that potentially result in a data breach. The following are some examples of cyber risks:
- Data leaks
- Insider threats
Risks are categorised based on likelihood, financial impact (information value, reputational loss), exposure and vulnerability, among others and deliver a matrix that determines focus areas as it shows risks on a scale from low to extreme.
Being aware and being able to quantify and qualify these threats is a great step towards mitigation. If you don’t know where to start or would like an independent pair of eyes looking over your assessment, don’t hesitate to reach out.
What do security measures need to protect?
The next step is to define and implement measures to protect personal data. The goal is to ensure that personal data
- can only be accessed, altered, disclosed or deleted by those authorised to do so.
- remains accessible and usable
So, if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
External bad actors should not be able to log in to your emails, the CRM tool, or databases. Strong, independent passwords and the use of a password manager are therefore crucial. Please keep in mind to protect your machines with passwords as well. Stolen laptops pose a huge risk as they offer login credentials to all sorts of systems within your organisation. Deploy a tool that allows for remote data encryption to add another layer of security for employees who travel a lot or work remotely.
Apply appropriate security levels to different teams and their members. Start with no rights for new hires (can’t see or do anything) and decide what they need to be able to do before giving them access to new tools and sets of information. This is called the principle of least privilege and is based on the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. If your sales rep shouldn’t be allowed to delete contact information, don’t give him the option in your CRM. If your personal assistant should be able to download your emails, don’t allow it … you get the idea.
Make sure data is encrypted when it’s being moved, especially when people work from home or are connected to some shady public networks in a cafe for example. Your hardware is only as good as the configuration that is applied to its software.
The last line of defence is your backup and recovery mechanism. Take regular backups. Run regular restore tests. Make sure you follow the 3-2-1 backup rule (3 sets of data on at least 2 different media with one of them offsite.) As an example, take a server. It should continuously run backups to a local appliance, a different physical device but in the same network, and replicate to an offsite location such as cloud storage, a private data centre or your secondary office. Make sure the data for both backups is encrypted at rest and in transit.
Having your data backed up is a great start. The next step is to ensure that it’s ready when you need it. How long does it take to get your data back and the server running? If everything is stored in the cloud but your production machine is in the office and runs the software for your business, consider the option to be able to virtualise the production machine in the cloud. Virtualisation is the process of spinning up a copy of the production machine and granting access to the people in your organisation who need it.
Summary and Key Takeaways
The UK General Data Protection Regulation explains the data protection regime about the use of personal data. Personal data is information that can be used to identify an individual through identifiers such as name, birthday, address, and many many more. Your business is responsible to process this information securely by means of “appropriate technical and organisational measures”.
Carry out regular risk assessments and build a matrix with focus areas. Avoid reusing the same password on multiple platforms – a password manager can help. Follow the principle of least privilege. This can be achieved through security policies.
Make sure data at rest and in transit is encrypted when working remotely. Use a remote monitoring and management tool to wipe stolen laptops if needed.
Backups are the last line of defence against cyberthreats. Test the integrity of your backups regularly. Consider an upgrade from backups to a continuity plan to avoid costly downtime.
IQ in IT is a Technology Success Provider and operates as your outsourced IT department. If you have any question or would like a deep dive on any of the topics discussed, don’t hesitate to get in touch.