GDPR is primarily concerned with giving people more control over their personal data. It is the responsibility of each organisation holding personal data to ensure it is processed lawfully and transparently with the right processes in place to protect it.
There are multiple IT layers within your business that need protecting and unless they are secure you are at risk of a serious data loss or a cyber-attack that can seriously damage your business revenue and reputation.
In a nutshell the minimum requirement to protect your IT should include:
- A firewall to protect your internet connection
- Secure settings for your software and devices
- Controlled access to your files and devices
- Processes to ensure all software is up to date and consider 24/7 monitoring
- Software to protect against viruses and malware
Personal Data and GDPR
Overt consent to store, retain and use data isn’t necessary if another lawful basis for processing can be applied.
To be ‘lawfully’ processed one of these must apply:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.
- only collect information that you need for a specific purpose;
keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it;
- and allow the subject of the information to see it on request.
Data Protection Officer
Each organisation must appoint a data protection officer who will advise the organisation about meeting GDPR requirements, and overseeing compliance. They’ll also be the primary contact for the data protection authority. Personally identifiable data including IP addresses count as personal data.
Assess the risks and threats to your business
Before you can establish what level of IT security is right for your business you will need to review the personal data you hold and assess the risks to that data. You should consider all processes involved that require you to collect, store, use and dispose of personal data.
IT Recommendations for GDPR compliance
The recommendations briefly outlined here address the security required to protect personal data held within your organisation. For greater detail on GDPR compliance please refer to:
If you would like to discuss these recommendations and how they relate to your business please call us on 01603 451810 or email firstname.lastname@example.org.
All cloud storage and email services, websites and applications that are used to process personal data must be GDPR compliant.
Devices used to access data on a private network
- Private networks must have a firewall
- If guest access is provided all PCs should be password protected, or using a firewall set to public mode (non-sharing)
- If not password protected then guest access should be provided using a separate network with no access to the private network
If the broadband connection is supplied by the landlord, and shared with other tenants, all tenant networks must be behind their own firewall to allow this network to be classed as private.
Devices used to access data on a public network
- Computer firewalls should be set to Public mode, and tablets and phones should use a 6 digit device security code.
- Computers, and phones and tablets if data is held on their internal storage, used away from the office should encrypted to safeguard data in the event of a loss or theft
- Office 365 files accessed directly in the cloud, the default method configured by Adept, are encrypted in transit and at rest, so no VPN is required to safeguard these. Files uploaded and downloaded by the OneDrive sync software are also encrypted in transit.
- Use business level security software such as ESET or Webroot
- Ensure Windows and third party application updates are installing correctly and are current
Emailing files containing personal data
If possible send files containing personal data as a link rather than an attachment, with a password protected sign in required to access the file, as supported by Office 365. If this is not possible or practicable instead password protect email attachments. Text or tell the password to the recipient, or email it to another address. Unless email encryption is used never include personal data in the subject or body of an email.
Office is fully GDPR compliant and you can find useful information here:
Office 365 Login management
365 self serve password reset should be enabled to allow secure password changes in the shortest possible time, and to avoid passwords having to be emailed to users.
Where persons not authorised to access personal data can gain access to devices these should always be locked when left unattended, or a password or other login restriction should be used, with devices set to automatically lock or go to a password protected screen saver after a certain amount of time.
- Passwords should never be written down and we recommend a password management system
- Use unique passwords
Above minimum requirements
Invest in a proactive monitoring and maintenance solution, such as Adept Total PC Security, to ensure all PCs are up to date and that viruses and malware are dealt with promptly.
Utilise 365 file and/or email encryption
- Set passwords to expire within 90 days or less
- Enable multi factor authentication
- Router running latest firmware
- Wireless passcode changed regularly
Tablets & phones
- Utilise Mobile Device Management, enabling the erasure of devices if stolen or lost.
- Utilise security and encryption software to protect your device from malware and data theft
Local storage devices (servers/NAS)
- 90 day password expiry for any user account with remote access.
For advice on IT Security in your business please call us on 01603 451810.