GDPR IT compliance for Small Businesses

The General Data Protection Regulation is coming this year (25th May 2018) and the time to act is now.

The focus of this blog is on Small Businesses in the UK with limited resources and stretched budgets. It's a collection of practical steps to take in order to assess your compliance, specifically around your IT systems, IT procedures and IT policies.

There is a lot of guidance and documentation available online, but my information comes straight from 'the horse's mouth', in this case, that’s the Information Commissioner's Office (ICO). They will be policing the new regulations, so it makes sense to go to them for guidance.

There are many reasons to want to comply. Such as business best practice and striving for customer confidence with a secure and safe storage of personal information… then there are the hefty fines that the ICO can dole out. After the 25th of May, the ICO could levy penalties up to the new limit of €20 million or 4% or annual global turnover, whichever is higher!

Give us a call on 01943 666 711 if you would like to know how we could help.

Let's look at some practical steps to take for your business:

1: Assess the threat and risk to your business
Review all of the data that you hold and consider the damage or stress it could cause if that data was subject to a security breach.

Follow your business processes and identify where and how your data is stored, collected and disposed of. With this information, you can decide on the appropriate measures for your needs.

2: Cyber Essentials- your Cyber Security Guide
Cyber Essentials is a government backed scheme to help protect businesses against the most common types of cyber threat.

The majority of cyber-attacks can be mitigated by applying good practice configurations and settings in the following 4 areas:

1- Firewalls- implement and configure gateway firewalls and computer firewalls to secure your internet connection.
2- Secure your devices and software- by changing default system passwords and by implementing secure passwords and multi-factor authentication where possible.
3- Control access to your data and systems- minimise damage by giving 'just enough' access to data and systems for staff to perform their jobs.
4- Protect yourself from Virus and Malware attacks- only use vendor approved software and always use Anti-Virus software… even better, use Endpoint Protection (Anti-virus, Malware, Firewall and Web control all in one). Always keep your software patched and up to date.

3: Secure your data…. Physically
Theft of filing cabinets and computers holding personal information are a real risk. If you know where your data is, you can better secure it.

There are several practical steps that can be taken to secure your data, like:

-Store sensitive data and computers in a separate, locked room.
-Prevent access to USB drives or CD-ROMs by implementing a device security policy.
-Where personal data is stored on laptops or mobile devices, secure and encrypt those devices.
-If you allow users to BYOD (bring their own device) from home into work, you may want to consider a 'BYOD policy' stipulating how that can be used and what (if any) business data can be stored on it.
-Secure your data in the cloud.
-If you decide to move some of your IT services to a Cloud Service Provider, you should assess their security measures to ensure that they are appropriate.

Be aware of what data you have stored in the cloud and implement 2FA (two factor authentication) where possible in case your credentials are compromised.

4: Backup your data
In the event of a disaster (fire, flood, theft, etc.) you need to be back up and running as quickly as possible. Malware and ransomware can also disrupt your data availability, loss of data is a breach of the Data Protection Act (DPA).

Implement a 3-2-1 data backup policy- 3 copies of your data on 2 different media with 1 copy off-site. Having a proper strategy will protect your data in the event of a disaster or ransomware attack (where your data is encrypted).

5: Train your staff
Accidental disclosure and human error are the leading causes of data breaches.

Train your staff on how to recognise threats like phishing emails and malware links. Small businesses often fall victim when publishing items in social media about the business ('Look at our shiny new delivery of laptops and phones' could result in a burglary!).

6: Monitor security logs
Regularly reviewing security logs can alert you to a potential vulnerability or attack.

You should be asking your IT provider to help you with this so that you have an automated alerting mechanism.

7: Have a policy so that you know how to react in case of a breach
A good policy will help you to address risks and an incident management document can reduce stress and risk in the event of a breach.

8: Minimise your data
If you don't need it any longer, delete or dispose of it properly.

Records should be kept up to date and cleared out if they are no longer required. Old computer equipment should be properly disposed of so that no confidential personal data is left on the hard drive.

9: Is your IT contractor doing what they should be?
If you (like many small businesses) outsource any of your IT services, make sure that your provider is treating your data with at least the same respect as you would.

You should have written contracts in place with your IT provider. Visit their premises if you feel it's appropriate and insure that they are disposing of your equipment properly.

Our advice is to act now, before the 25th of May so that you have time to evaluate the risks and act on your findings.

Please find some links below for further reading, feel free to also contact us via our website, or call us on 01943 666 711 if you have any questions or would like help securing your business critical data and systems?

Cyber Essentials

Preparing for GDPR in 12 steps

Ref: IT security practical guide

Posted in News.