Under GDPR, data controllers must notify the Data Protection Commission within 72 hours of becoming aware of any data breaches that pose a risk to the privacy rights of individuals. If the data breach poses a significant impact to individuals that could cause harm, for instance identity theft or a breach of their credit card data, businesses are required to notify those individuals as well.
A data breach could have significant repercussions for businesses in terms of the potential reputational risk with its service users, the risk of claims for material and non-material damages and administrative fines from the Data Protection Commission. To help reduce your risk of a data breach, the Data Protection Commission has just released an excellent guide for small businesses on how you can best safeguard personal data through your technical and organisational processes.
The guide offers three ways that businesses can ensure they implement the appropriate level of security through your:
- Technical security measures
- Physical security measures
- Organisational security measures
Technical security measures
When assessing whether you have the appropriate IT systems and security measures in place, it is important to liaise with your IT department or outsourced IT provider so that you ensure the following are implemented:
- Are all computing devices such as PCs, mobile phones and tablets on an up-to-date operating system?
- Are all computing devices regularly updated with the manufacturer’s latest software and security patches?
- Is antivirus software installed on all devices? Are devices regularly scanned for viruses?
- Is there a strong firewall in place? What other security measures can the firewall offer to improve data security and enable your business to control the movement of data?
- Has vendor-supplied software been reviewed to ensure that the default system, administrator, root passwords and other security parameters have been updated so that no default settings are left in place?
- Are there regular data backups and are they stored securely in a separate location?
- How often are data backups periodically reviewed and tested to ensure they are functioning correctly?
- What measures are in place to ensure that data is collected and stored securely?
- Are mobile devices such as laptops and mobile phones and tablets encrypted?
- Is there two-factor authentication for remote access to the company network and other shared devices?
- Do websites have TLS (transport layer security) in place to securely collect personal data via webforms for newsletter subscriptions or e-commerce websites?
What is essential is that your business has an in-depth understanding of how you receive personal data, where is it stored, whether it is stored on multiple devices, how secure is it and how easy is it to access it. Your IT department or provider can assist you in assessing if there are any vulnerabilities to your data and how your business can close that gap.
Physical security measures
Often when we think of data protection we think of electronic data only, however, GDPR also applies to hard copy data and safeguards should be put in place for physical data as well.
The guide recommends that small businesses should ensure that ICT equipment such as facilities, equipment, personnel, resources, and other properties have appropriate security measures. Examples of ICT equipment that may store personal data include:
- Computers — servers, desktops, laptops and tablets
- Photocopiers, multifunction devices and printers
- Mobile telephones
- Digital cameras
- Storage media including portable hard drives, USB sticks, CDs and DVDs
- CCTV cameras
- GPS tracking devices
Businesses should consider what is the risk level, if any, if these devices are breached? Do they hold personal data and for how long is the data held on these devices? Can the data be cleared once the purpose for it is no longer relevant? If the risk is high, you would need to implement higher technical security settings, for example you could have password protected printers for highly sensitive documents.
Other measures that businesses should implement include:
- Keeping offices and storage units locked
- Keeping server rooms or cabinets locked and only giving access to the relevant staff
- Cabling desktop machines and laptops to desks
- Implementing clean desk policies
- Ensuring that fire and burglar alarms are in place and that they are functioning correctly
- Ensuring that ICT equipment such as hard drives, old laptops, computers and mobile devices are securely disposed of at the end of their use. It is also good practice to get a certification to verify that they have been disposed of securely
The guide recommends that small businesses should create and implement an asset control policy for ICT equipment which would include:
- Recording the location and user of each device and
- Conducting periodical audits of its ICT equipment
Organisational security measures
Human error is one of the major risks in relation to data breaches so it essential that all staff are trained in GDPR and that they use the appropriate security measures. It may be inconvenient to change passwords on a regular basis or follow the correct IT procedures, however, under GDPR this should be a non-negotiable issue and businesses need to be firm in ensuring these policies and procedures are fulfilled by everyone in the business.
The guideline advises that organisational policies to keep data secure do not need to be time consuming nor overly complicated to implement, but they should be in writing. The policies should be written in clear, concise language outlining what the rules are. They should be easily accessible to employees and they should be reviewed on a regular basis to ensure they are up to date.
Examples of practical organisational security measures could include:
- Communicating the importance of company data and all the measures that everyone should take to protect the personal data
- Conducting ongoing staff training on, but not limited to, social engineering attacks, crypto ransomware and data protection
- Documenting data collection and retention policies
- Ensuring the use of strong passwords by having a password policy in place that is enforced
- Ensuring remote access is supported by a remote access policy
- Documenting a data breach incident response plan and testing it periodically to ensure a data breach can be effectively responded to
- Documenting CCTV and/or GPS policies if this applies
- Documenting data back-up policies
- Periodically reviewing contracts with 3rd party ICT providers to ensure the security measures documented are still appropriate and up to date
The full guideline from the Data Protection Commissioner can be downloaded here.
Next week in data breaches – part two, we will look at what businesses should consider when preparing for a data breach and how to prepare a contingency plan.
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at firstname.lastname@example.org or visit our GDPR section on www.sfa.ie/advice.