Wednesday, 1 July 2020
GDPR has changed our attitude towards the information we hold in our businesses and our perceptions of the responsibility we have for it.
GDPR has changed our attitude towards the information we hold in our businesses and our perceptions of the responsibility we have for it. But GDPR isn’t just about electronic information – it relates to all the information you hold within your organisation.
Digital systems have changed the volume of data every organisation has about its sales prospects, customers, staff and other stakeholders. Sometimes it feels as if we are drowning under a deluge of information.
But it is still the case that many organisations are not fully digitalised. For many of us, digital transformation programmes are still in their infancy. Digital systems often operate in discrete operations – the data from social media doesn’t always marry up with sales orders or email marketing lists, for example.
As a result, businesses have to grapple with managing many types of data, both paper-based and electronic, for the full lifetime of its use by the business. Here, the Grant McGregor team considers what this means in practice.
#1. Control access
As soon as information comes into your business, you have a responsibility to keep it secure.
With paper records this means lockable cabinets. Or, if you have a lot of records, access-controlled rooms. Just as you control access and the conditions such as airflow, dampness and light for paper record storage, your electronic records require the same level of access control and monitoring.
This means setting up the right access rights – a policy of “least privilege” is usually the best strategy – and good password management. Make sure staff are familiar with password best practice, so that they can ensure security is maintained throughout your data ecosystem.
#2. Share wisely
When we need to ensure the secure delivery of confidential documents, we’ll invest in a trusted specialist courier firms to ensure the paperwork meets its intended recipient without being manipulated.
Electronic data should be treated in the same way. Rather than sending confidential documentation over email which is notoriously prone to interception, forwarding or other insecure practices, it is important to put systems in place that support secure sharing.
Ideally, a well-managed document repository such as the SharePoint service on secure systems with the right access controls in place is the best way to share documents either internally or externally. The benefit of SharePoint is its close integration with Microsoft Teams, so you can securely upload files and share them appropriately very easily regardless of where you’re working from. The extra options for locking documents in the Microsoft ecosystem can further control access and ensure that files can’t be shared, copied, forwarded or screen-captured.
#3. Don’t hold onto it longer than necessary
When it comes to disposing of confidential papers in an office environment, a paper document cross-cut shredder has long been an office staple. In the same way, you should manage your confidential electronic records and documents very carefully.
A policy of defensible deletion is usually the best policy and in accordance with GDPR. This requires a proactive approach to information management. ISO 27001 or IASME Gold can be a useful supporting approach – giving you comprehensive visibility about where information resides throughout your organisation. When data is disposed of, you need to be able to demonstrate that it has been scrubbed from your records and that of any third-party partners with whom you have shared it.
#4. Employee training
We’re quite used to having strict policies around paper and electronic documentation. Usually this is covered off during employee induction training.
For paper documentation, this is usually more than enough. The days of smuggling microfiches of commercially sensitive plans are long gone.
Of course, this is because of the ease of copying and transporting vast swathes of information stored electronically. And, of course, microfiches are somewhat rare in this day and age.
This means that staff training on electronic documentation security must be an important plank of induction training, and continually reinforced with further security awareness training and communication.
Most importantly, awareness of the risks around email need continually reinforcing. It only takes one lapse in concentration to forward commercially sensitive information or financial data on to the wrong contact and you have a major security breach – impacting your bottom line and your organisational reputation.
Specific training around the risks of email should be undertaken on a regular basis for all staff. Don’t allow your executive team to sit this out either – they are most at risk from spear phishing and whale phishing attempts, so their training must be of greater focus, rather than less – no matter how busy there are.
These four policies are really the cornerstones of what you need to keep your data safe in the real world and the virtual world, provided they are implemented properly and followed consistently on an ongoing basis.
If you’d like any help applying them to your organisation or in developing or implementing the tools to support such policies, please get in touch with the Grant McGregor team. We are always happy to share our wisdom and support best practice.
If you like this blog, do share it socially and why not subscribe to our weekly blog to get relevant help, tips and advice on information technology, data security and business improvement.
