Implementing GDPR is not just about IT systems and making them compliant with the regulations. Data exists in many forms, however in many organisations the greatest risk of breach comes in the forms of physical data. Many businesses have overlooked the physical aspect of the GDPR, this article explores the risk presented by physical data and what you should do to mitigate these.
Some physical risks are obvious, e.g loss through data being dropped, left behind or misplaced. These kinds of incidents have been well documented, for example; when Mi5 and the U.K Government suffered data loss through loosing paperwork or storage devices. However some risks fly under the radar, like secure data destruction. If your business is storing or filing secure PII (Personal Identifiable Information) then you must have the policies and procedures in place to prevent data loss.
Physical risks to data also exist in the forms of misfiled data, when someone has put HR data in with your finance records, or placed loose in a box of files. These are still cases of data loss, despite them still being present in your office building, however you have lost control and visibility of them. This and many other data loss cases in the physical world happen through carelessness, whether data is left on the train, or have been placed in that drawer, which (one day) will get sorted out, is still data loss!
When was the last time your business checked how your data destruction company was actually disposing of and handling your waste? In some cases ‘data destruction’ or ‘shredding’ companies are acting as a law upon themselves, using less than acceptable methods to reduce cost and admin time. The truth of the matter is, companies are responsible for this data and so, should know what happens to it when it leaves the office.
In rare cases physical data can be stolen, either on purpose or by coincidence. This cannot always be prevented, but businesses need to ensure that their processes mitigate against data loss by offering secure transport solutions for paper records.
The most obvious and most under-thought part of physical data protection is locks, safes and keys. Does your business have locked filling cabinets? Who has keys? Do they need access to all the data in the cabinet? Is the key stored safely and securely? What about your doors are they all locked, with either a physical key or electronic system. Is access properly controlled? These questions should be asked of all locations where PII can be found and is stored.
Implementing GDPR is not just about IT systems and making them compliant with the regulations. Data exists in many forms...
How do you prevent physical data loss?
With Data protection by design, the best practice is to start from the most basic action, in this case looking at physical security start from access;
• Are all doors into offices, storage locations and the building locked when not in use? Do only the staff whom need access have keys/access to these areas?
• Are all file storage systems (filling cabinets, draws etc.) locked? Do only the staff whom need access have keys/access to these systems?
• Are all your employees desks "clean" when not in use? Is data left openly on display? Does this data pose a risk to the freedoms and rights of any living persons?
• Do your employees take home or take offsite personal identifiable information about your customers/clients or business colleagues?
• How is data transported?
• When data reaches its destination how is it stored?
• You should make sure that all of your documentation for GDPR compliance reflects the steps you have taken to move from non-compliance to compliance including all the steps taken against physical loss as shown above.
Conclusions and next steps
As with my previous articles on data protection by design, this is not the end of the road. Making data protection a critical part of your design process and making data protection part of your everyday business processes will only strengthen your business.
You should be thinking about the bigger picture when looking at GDPR compliance beyond that of IT and your IT Systems, look at GDPR as a business wide issue and look to gain compliance by instigating changes across all parts of your organisation.
For more information on GDPR or IT security and support solution for your business in general, give our Planet IT team a call today.