It seems the approach many small businesses take to data security is one of reaction to sweeping government regulations which are, frankly, intended to curtail the unscrupulous deeds of data merchants. If you are in a business where you collect a modest amount of information about your clients or customers, even if some of it can be considered sensitive, then there is an easier way and it will both satisfy the ICO and your client.
Start off by listing the information you think you need from your client — take time to do this so you don’t miss out anything important. Then list what you intend to use that data for — again, be specific and complete on this. Then determine how you are going to make that data safe — once that meant keeping files locked in a cabinet and it isn’t so different now. Finally, determine how long you will need that information before it can be destroyed.
Before going further let’s clear up a few things. Business isn’t going to come to a grinding halt when the GDPR takes effect and it should only take a moment of thinking to realise that we will all continue to do our jobs, send emails, save documents, and bang away on our phones, tablets, and laptops.
What is expected is for us exercise reasonable care in protecting data. Although the data we handle is important, it is unlikely anyone is stalking us and preparing to raid our data banks. We are trying to protect ourselves from opportunists and careless releases.
If you have not already done so, register with the ICO — don’t procrastinate by thinking it might not apply — it does. Now, create a foundation of secure behaviour by:
- Enabling 6 digit/character or more passwords on every device you have that can possibly retain or send data.
- Encrypting those same devices. Every Windows, Android, Mac, and iOS device is equipped with encryption schemes. On most Android and iOS devices it is automatically enabled when you create a password. BTW, passwords and encryption are NOT the same thing. A password is a screen and little more. Encryption means that all the data on your device is garbled and scrambled, requiring a key to decipher it. Even removing it from the device does not remove the protection.
- Remembering to log out of your devices, particularly laptops, as some will not restore the encrypted state unless you do.
- If you are going to use USB sticks then you must remember to encrypt them also. This is one of the most common security breaches that ICO deals with.
- Cloud servers like iCloud, Dropbox, One Drive, and others, regardless of where they are located, are incredibly secure and typically employ better security practices that we do. Used smartly, they are a good way to securely share data as access can be given via a link and a password.
- Do not send emails which contain sensitive data because there is always the slight chance you will send it to the wrong address and a greater chance that the recipient may not have complete control over their email account. See 7.
- Send reports and other sensitive documents as password protected and encrypted documents. Word allows password protection of documents. PDF documents saved from Word or created in Adobe can be password protected and encrypted before being attached to an email.
- Create strong passwords using a random password generator — these are built into most browsers — and remember to store them securely in a data vault. Data vaults are apps that can keep your passwords synchronised across multiple devices so that you only have to remember one password to access any of them.
Once you have done this you have created a safe place for your records and your client’s data. There is more to discuss moving on from here like secure use of social media, video chats, and the use of online applications.
I will discuss these in the future.