In our previous blog post, we explained that one of the two most important things in making sure that you do not fall foul of the regulators is to ensure that you don’t lose, destroy or have any personal data stolen.
The law very much leaves it up to you as to what security steps you should take in relation to the personal data that you process. It does this because the law recognises that security professionals are much more likely to know what secure looks like than lawyers. The law also recognises that what is secure today, may not be secure tomorrow.
What the law says you have to do
You have to implement “appropriate technical and organisational measures”. You need to be able to demonstrate those measures. And you need to review and update them where necessary.
What the law means
Note that your security measures have to be both technical and organisational. In other words, this is a company effort, not an effort restricted to your IT staff. It doesn’t matter that your systems are regularly penetration tested if your staff are emailing client details to their personal email accounts so that they can work at home.
You need to have a security policy. You need to have a policy which states what you do if you have a breach. You need to train your staff so that they understand these policies and recognise their roles and responsibilities.
Good security doesn’t stand still. It has to be periodically reviewed. It has to keep up with the state of the art.
Where you can look for help
Luckily, there are places where you can find recommendations as to what good security looks like. For example, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre have worked jointly to produce a guide on appropriate GDPR security outcomes.
There is also the government Cyber Essentials Scheme.
But don’t neglect the obvious. Keep your office secure. Use encryption. Use strong passwords and don’t share them. Have a policy on use of devices outside the workplace. Have a clear desk policy. Keep laptops locked away. Update software and implement patches promptly.
Cyber crime is often a crime of opportunity, like any other crime, so don’t make it easy.
The importance of a culture of continuous compliance
Most data breaches are not caused by hackers. They are caused by people making mistakes. Or people doing stupid things.
What you should be implementing in your organisation is a culture of continuous compliance which educates your staff as to what good security means and what they can do on a day to day basis to maintain it. Make them understand; make them care; and they will do their bit to help.
If you would like help in accelerating a culture of continuous compliance and to be able to demonstrate that in an easy way, take a look at The Privacy Compliance Hub – a simple platform which contains a comprehensive data protection compliance programme.
This article is part of an eight part series. Feel free to check out the others:
GDPR : Are you sure you’re fine?
- Are you sure your staff know why the GDPR is important to the success of your organisation?
- Are you sure you know what you do with people’s data?
- Are you sure you tell people what you do with their data?
- Are you sure you trust organisations that you are sharing data with?
- Are you sure that nobody will complain?
- Are you sure you’re secure?
- Are you sure you know which countries keep data safe?
- Are you sure you build products and services with privacy in mind?