A series of unfortunate GDPR events part 5 - Secure storage
Having now finished the cleanup of the ancient mailing lists and implementing your record management policy its time to look at where to store the data you have.
The physical data storage is the easiest to look at as you can see it, yes that mountain of paperwork sat next to you on your desk needs to be put away. At the end of every day, you shouldn’t be able to see any papers or files that could identify a person anywhere in your office or desk space.
For some, this will be one of the hardest challenges, we have seen it all, from the ultra-clean to the “is there really a desk in here?”, just remember that the reason for the regulations is safety and not a nag to tidy up.
You need to limit access to any and all of your data records, so lockable storage (big enough to fit that mountain in) is a great start, if using a home office where you are able to dedicate a room to your office you will need some sort of lock on the door, this prevents guests and obscure nosey family members from snooping around your data, however, it is advisable to still look at lockable storage inside the room as well.
The storage of electronic data records is a little bit more difficult, as they are harder to see. However, you will need to be aware of their whereabouts at all times. Storing data on your computer without any thought for security is probably the most common thing we come across. However, this has to stop, as it is incredibly insecure.
You may say well I have an anti-virus installed on my computer, sadly while this is very good practice, it has never been enough to keep data safe, there are many different AV packages out there that do similar jobs, but AV on its own is not enough to be GDPR compliant.
In the ICO guidance, they recommend the use of encryption to protect the data, this is essentially scrambling it into an unusable format until it is decrypted again when you wish to use it.
The use of encryption is advised for all devices, including USB sticks and mobile phones.
As with physical data records, you will need to limit access to data records to essential members of staff, Sally from HR does not need to know what's going on in accounts for example. Separating the data into different sections can be easily done, it just requires a bit of time to set up and manage. We would advise contacting a professional to handle the data segregation to ensure it is done right and users cannot access things they shouldn’t be able to.
Have you ever thought about what would happen to your business if you lost access to your computer or physical records?
Another important part of GDPR is the implementation of a business continuity plan. The plan clearly lists a step by step procedure of what happens in the event of a loss of data, such as a fire or computer failure. It highlights the need and importance of data backups, what was once common practice has faded into myth and legend for a lot of businesses.
Your continuity plan should clearly identify how long your business would be down and how to go about getting up and running again. Within your plan, you will need to identify the data that is critical to business survival, ensuring that it is the first to be backed up and clearly available at a moments notice.
If you employ staff it is a wise idea to have regular training on the use of the plan, stage practice drills to make sure the staff know their role within the plan.
Did you miss our last blog in this series? We talked about record management and how to help be compliant which will really help you when looking at your secure storage solutions, find it here