At iPing we have done some research and the most important point we believe businesses need to consider when considering the introduction of GDPR is to consider how damaging a data breach would be to your business if personal data was made available to the public and therefore you need to consider what risk level your business has and take appropriate steps to secure your data.
You should consider what data is saved on your server – do you have personal customer or employee data saved? If you do not have personal data on your server then then your business has a very low threshold of compliance to meet the GDPR specifications but if for example you store thousands of customers’ home addresses, phone numbers, date of births or credit card information, then you need to protect that data to a very high level.
The definition of personal data is set out below for ease of reference and you will see that it is a wide reaching definition:
““’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”
an ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Below is a list of technical and organisational measures your business should consider in order to meets its requirements under the GDPR:
Minimum technical measures under the GDPR
- Firewalls which are properly configured and using the latest software (no specific requirement for a valid subscription unless you have high risk data to secure)
- User access control management by, for example, the UAC functionality in Windows. Please note, that in order to comply with the law, there should be no one person in your organisation with full access to all files and even your network administrator should have restricted access. In fact, it is recommended that the network administrator’s normal user account and his/her account with administrator privileges should be separated and only used when appropriate. This makes auditing and control of administrator actions much simpler.
- Unique passwords of sufficient complexity and regular (but not too frequent) expiry on all devices (including mobile phones) to defend against dictionary and rainbow table attacks. The UK government’s National Technical Authority for Information Assurance (CESG) has recently advised against forcing users to change their ‘complex’ passwords because this may lead to the recycling of old passwords, which may be already known to attackers, the need to note passwords down often on an exposed medium left near the device and users forgetting their passwords and being locked out, which leads to a loss in productivity
- Regular software updates, if appropriate, by using patch management software
- Timely decommissioning and secure wiping (that renders data unrecoverable) of old software and hardware
- Real-time protection anti-virus, anti-malware and anti-spyware software
- Encryption of all portable devices ensuring appropriate protection of the key
- Encryption of personal data in transit by using suitable encryption solutions. This may include SSL and IPsec VPN connections which are appropriate for machine-to-machine connections, or PGP which is generally used for messaging, such as, e-mail. PGP or “Pretty good privacy” (around since 1991) has long been part of state of the art security. Nevertheless, if your organisation processes minimal amounts of personal data, encryption will not strictly be a legal requirement and organisations may achieve appropriate levels of security and comply with the law by other means
- Implement secure configuration on all devices (including mobile phones)
- Put in place intrusion detection and prevention systems – This would imply active rather than passive firewalls with a subscription but it’s too vague to make a hard and fast rule
- Data backup
Minimal organisational measures under the GDPR
- Vet and train staff, contractors, vendors and suppliers on continuous basis, as individuals are often the weakest link
- Insist on non-disclosure agreements prior to entering into formalised agreements
- Provide training to staff on data processing obligations, identification of breaches and risks. Even with state of art security software you may not be able to prevent some breaches without having appropriately trained staff
- Restrict staff access to personal data to those who need to know
- Ensure physical security on premises including policy for staff to lock away their documents overnight in secure cabinets, and disposed of any sensitive printouts, which are no longer needed, by putting them in a confidential bin or through a document shredder
- Put in place a ‘Bring Your Own Device’ policy if you allow use of personal devices for work; and
- Implement a strict ban on the use of personal email for work purposes.
Other suggested commonly adopted security practices
- Consider multi-factor authentication, especially for remote access. Without putting a burden on the employee, nowadays, the second authentication can be a fob plugged into the device or through the presence of a corporate mobile phone
- Keep Wi-Fi passcode confidential and change it regularly to prevent creation of “evil twin” Wi-Fi access points. Generally, any WiFi access to the corporate network should use WPA-TKIP which is a centrally administered authentication method and grants access only to authenticated users, such as staff; and
- Implement delinquent web filtering to prevent access to hazardous URLs
We hope the above guide may be of help to you. If you have any questions or need help in considering how GDPR may affect your business, please contact us here at iPing.