The Quick and Dirty of Privacy and Document Security – Part Deux

You will notice that my previous post did not directly address the GDPR, but if you have enacted those recommendations you will find that you have largely put into place what is required by the regulations. I am promoting data protection by design. Understanding the principles of data protection is far more useful than trying to comply with several hundred pages of regulations, most of which do not apply to small businesses.

One of the most common questions floating around at the moment seems to be “where am I going to store my data???”

The answer is “pretty much where you have been.”

There’s a lot of snake oil out there and promoters promising to salve your concerns and protect your data. They are opportunists selling you something you don’t need by making you anxious. A few comments:

  1. Although our data is sensitive and terribly important to our clients, it is not national security level data. In fact, on the scale of data, it is at the lower end.
  2. The CIA and MI5 are not monitoring your every data movement. It would be terribly exciting if they were, but they’re not.
  3. The data we handle is of no commercial value, except in the rare circumstance that you are working with a celebrity or recognisable politician. Even then, common sense measures are sufficient. In other words, there is no motivation to stalk you and your data.

So, where do you keep your data? Same as before — on your computer, your tablet, or your phone. If you are using cloud services like iCloud, One Drive, Google Drive, Dropbox, Amazon Drive, Evernote, Notability, and a host of others then you are perfectly safe to continue doing so. There is no profit in compromising your data so these companies employ redundant servers, backups, encryption, and levels of security far beyond what we could manage on our own. If you are being reasonable and responsible, using sufficient passwords and keeping your own devices secure from others, then you are doing a good job and you are unlikely to ever end up having to explain to the ICO why your client’s details are in the public domain.

You also have a responsibility to keep your computer free of viruses and malware that might compromise your data. This applies to all your devices. Once such service, which offers free coverage, is AVG. I believe they have a version for every OS out there.

The word “processing” comes up quite a bit and it is admittedly pretty ambiguous and trying to get an answer about what is or is not allowable is also vague. Essentially anything you do with someone’s data is processing. Does that mean, for example, that if you’re using QuickBooks Online for your accounting that you are processing their data in Canada or the USA, where the company is based? No, I don’t think so and I don’t think the ICO would be foolish enough to declare that is the case. You are processing the data in your office. If, however, you are a bank and you are sending data to India to have statements printed up for your customer then you are processing that data outside of the EU. These arrangements are also frequently the source if major compromises because there is financial value, questionable security, and volume.

I prefer to think that the ICO is not suggesting that we suddenly have to pull up the bridges and make sure our emails never go into outer space or across the oceans. Frankly, that would be impossible and turn the UK back into an agrarian society. It is probably sensible, in our privacy policy, to make clear that data may be held on servers outside of the EU or that it may leave the EU before being redirected into the EU. Of course it is.

For the record, QuickBooks Online has addressed these issues and stated that it is in compliance with GDPR. In fact, I have checked with all the out of EU services that we use and found that they are all in compliance with the GDPR. Can I be sure they are in compliance? No and I don’t have the resources to ensure that. That isn’t my job or your job. Further, I have no way of knowing what services they use.

Next time I will discuss social media and the results of discussions and correspondence I have had over the years with the ICO.

Remember this: you are more likely to compromise your client’s information by speaking on the phone next to an open window or someone looking over your shoulder at your screen. It’s the simple things and oversights that bite us when we least expect it.