It’s not just about IT! Data Protection By Design

Implementing GDPR is not just about IT systems and making them compliant with the regulations. Data exists in many forms, however in many organisations the greatest risk of breach comes in the forms of physical data. Many businesses have overlooked the physical aspect of the GDPR, this article explores the risk presented by physical data and what you should do to mitigate these.

Physical Risk

Some physical risks are obvious, e.g loss through data being dropped, left behind or misplaced. These kinds of incidents have been well documented, for example; when Mi5 and the U.K Government suffered data loss through loosing paperwork or storage devices. However some risks fly under the radar, like secure data destruction. If your business is storing or filing secure PII (Personal Identifiable Information) then you must have the policies and procedures in place to prevent data loss.

Physical risks to data also exist in the forms of misfiled data, when someone has put HR data in with your finance records, or placed loose in a box of files. These are still cases of data loss, despite them still being present in your office building, however you have lost control and visibility of them. This and many other data loss cases in the physical world happen through carelessness, whether data is left on the train, or have been placed in that drawer, which (one day) will get sorted out, is still data loss!

When was the last time your business checked how your data destruction company was actually disposing of and handling your waste? In some cases ‘data destruction’ or ‘shredding’ companies are acting as a law upon themselves, using less than acceptable methods to reduce cost and admin time. The truth of the matter is, companies are responsible for this data and so, should know what happens to it when it leaves the office.

In rare cases physical data can be stolen, either on purpose or by coincidence. This cannot always be prevented, but businesses need to ensure that their processes mitigate against data loss by offering secure transport solutions for paper records.

The most obvious and most under-thought part of physical data protection is locks, safes and keys. Does your business have locked filling cabinets? Who has keys? Do they need access to all the data in the cabinet? Is the key stored safely and securely? What about your doors are they all locked, with either a physical key or electronic system. Is access properly controlled? These questions should be asked of all locations where PII can be found and is stored.

Implementing GDPR is not just about IT systems and making them compliant with the regulations. Data exists in many forms…

How do you prevent physical data loss?

With Data protection by design, the best practice is to start from the most basic action, in this case looking at physical security start from access;

 Are all doors into offices, storage locations and the building locked when not in use? Do only the staff whom need access have keys/access to these areas?

 Are all file storage systems (filling cabinets, draws etc.) locked? Do only the staff whom need access have keys/access to these systems?

 Are all your employees desks “clean” when not in use? Is data left openly on display? Does this data pose a risk to the freedoms and rights of any living persons?

 Do your employees take home or take offsite personal identifiable information about your customers/clients or business colleagues?

 How is data transported?

 When data reaches its destination how is it stored?

 You should make sure that all of your documentation for GDPR compliance reflects the steps you have taken to move from non-compliance to compliance including all the steps taken against physical loss as shown above.

Conclusions and next steps

As with my previous articles on data protection by design, this is not the end of the road. Making data protection a critical part of your design process and making data protection part of your everyday business processes will only strengthen your business.

You should be thinking about the bigger picture when looking at GDPR compliance beyond that of IT and your IT Systems, look at GDPR as a business wide issue and look to gain compliance by instigating changes across all parts of your organisation.

For more information on GDPR or IT security and support solution for your business in general, give our Planet IT team a call today.

The Top 5 Things you need to know about GDPR for your Business

As the deadline for the 25th May is approaching, it feels like all everyone is talking about is GDPR and what it will mean for businesses, large and small.

So in an online world of endless, confusing information about what GDPR is.. we have devised the Top 5 things that you need to know and how to action it for your business.

 

1. GDPR will affect your business – no business in the U.K is excluded from the requirement to be complaint with GDPR, this covers all sectors and verticals.

2. Brexit makes no difference – regardless of when we leave the EU and what the final deal is, the Government will transition the regulations into British law on that date, this has been defined in the British Data Protection Bill.

3. With GDPR you are required to prove compliance – under the DPA you could simply say you where complaint with no proof required, with GDPR the focus heavily shifts to being able to prove that you are complaint and the steps that have been taken.

Regardless of when we leave the EU and what the final deal is, the Government will transition the regulations into British law on that date.

4. Its not just about IT – although most systems in a modern business will be related to IT, GDPR is not just a problem for your IT department or provider it will effect you whole business and will require changes in most areas of all business and their practices.

5. Its not too late to act – you still have time to get your business complaint.

Get in touch with one of our expert consultants now 012345 433900 or enquiries@planet-it.net

Education, Education, Education… People are the key to GDPR success

As a business trying to achieve compliance with GDPR by May is a daunting task. The sheer volume of required changes, polices, procedures and business wide adjustments can be enough to overwhelm, the best of us. Because of this I have noticed a trend , which could potentially lead to the failure of many business’s GDPR compliance projects. This comes in the form of staff awareness and training.

Many organisations have started laying the foundations of solid compliance, but are missing the key to the success of delivering this project to completion. If your staff don’t know about GDPR, what it means for their roles and how the business is adjusting to facilitate these changes, how are they expected to work in a GDPR complaint way following the implementation of your changes?

To combat this you should look to train all staff, this should take the form of formal recorded staff training with all staff required to be present. These training sessions should cover from the cleaners to the board. By taking this simple step business can not only accelerate their compliance but ensure best practice across the board.

3n$rYpt!0N…Encryption under GDPR

The regulations are quite forth coming about what is needed in terms of encryption. In short, everything should be encrypted and this should be done to protect the rights and freedoms of those subject to data capture.

What this means is that data should not only be encrypted when at rest (on your server/computer/tablet) but should be encrypted in transit (via E-mail of file transfer) and should be encrypted during use. Now, we know this doesn’t sound easy. Managing Encryption of data when; At rest (AR), In Transit (IT) and In Use (IU) is a massive challenge for businesses who don’t currently have encryption, but this can be achieved using a number of products.

Planet IT are able to offer businesses the following products, which we believe will tick as many of your security and data compliance boxes:

  • – Sophos Safeguard Encryption
  • – Bitglass
  • – BitLocker and FileVault
  • – Microsoft Office 365 Security and Compliance Centre

Sophos Safeguard Encryption

Sophos’ safeguard encryption places all created files on a system under an encryption that can only be reversed by someone using the same software whom has access to the file. This really is as simple as it sounds and is a great option for any business trying to become GDPR Compliant. Looking at the demo of Sophos Safeguard Encryption the protection it provides to documents both IU and AR are unparalleled.

Providing not on file level protection but whole system protection through BitLocker or macOS’s File Vault. This is unlike any other product on the market, leveraging the built in OS technology to maximise the provided protection. On top of all this, it can provide protection to files transferred off the system via USB, file share or to the cloud.

If you are a Sophos customer using one of their other products this move makes perfect sense, it seamlessly integrates with their desktop protection products (Antivirus and Intercept X) and their network protection units like the SG and XG line.

You can find more information here https://www.sophos.com/en-us/products/safeguard-encryption.aspx

Bitglass

Bitglass is a different technology to Sophos and comes from the traditional space where firewalls and content protection would of sat, or for those in the technology space CASB (Cloud Access Security Broker). This technology is designed to leverage antivirus/anti-malware (provided by Cylance), Access Control, Data loss provision and Visibility on a single platform. Bitglass can sit onto any cloud service and apply itself to your data source.

Bitglass offers a great platform for anyone who is based completely in the cloud and has very stringent data protection or legal compliances to abide by. However if your business is focused on mobility and home working, this platform presents more issues than its worth.

Bitglass can be found here https://www.bitglass.com 

BitLocker and FileVault

Both BitLocker and FileVault are tools built into your modern operating systems BitLocker is available for free inside Windows 7 (Enterprise and Ultimate editions), 8(Pro and Enterprise editions), 8.1 (Pro and Enterprise editions), 10 (Pro, Enterprise, and Education editions) and FileVault is free inside macOS and OS X (10.3 or higher).

This software is disk level encryption, the basis of its operating is as such. The data or the hard drive is encrypted in such a way that only the hardware that performs the encryption can reverse it and open the files, this means that if your laptop or desktop hard drive is removed and placed into different hardware to be read it will fail. This technology is critical for any business which allows it’s devices to leave site. Businesses cannot risk having hardware containing business-sensitive data roaming freely around without basic levels of protection in place.

BitLocker can also be used to encrypt mobile storage, like USB, External Hard drives and memory cards. However it is worth noting that if you use this technology on a external drive, it cannot be read on a non Windows 7 (and above) PC, which can cause compatibility issues with macOS and Linux.

Other points of note with BitLocker and FileVault is that this technology can be leveraged with other platforms like Sophos Safeguard to increase the device protection, above those offered by the software platform alone.

More information on BitLocker can be found here https://technet.microsoft.com/en-us/library/cc732774(v=ws.11).aspx

More information on FileVault can be found here https://support.apple.com/en-gb/HT204837

Microsoft Office 365 Security and Compliance Centre

This solution offers nearly all the features of Bitglass but in a less intrusive way, it allows you to leverage all the features of Office 365 and the Azure platform.

With data classifications, Data loss prevention, data governance and threat management, this tool offers all the pieces of the puzzle that you need to meet GDPR compliance and its only getting better by the day. The way that Microsoft have set up Office 365 means your constantly receiving new features and improvements and this shows up massively in the Security and Compliance centre. Microsoft have a clear GDPR road map for Office 365 and the platform will give you all the protection you need for your data (that is stored on Office 365) from this tool.

Warning! This takes some time to configure and may require specialist support to ensure the data is being handled correctly, however the 0 cost option is always one preferred by businesses.

My personal view on this toolset is don’t run off buying a product like Bitglass until you have given the Security and Compliance centre a run for its money, as it is more than likely going to give your compliance team the piece of mind they need.

More information on Microsoft Office 365 Security and Compliance Centre can be found here https://technet.microsoft.com/en-GB/library/dn876574.aspx

For more information on GDPR or IT security and support solution for your business in general, give our Planet IT team a call today.

The Data Protection Bill – GDPR

So you have heard about this Data Protection Bill? Or at least you have heard the media talking about this revolution to the rights of British Citizens in relation to their data.

Well fear not, the data protection bill, in short is just the U.K government taking the steps to implement their obligations in regards to turning GDPR into U.K law. All countries in the EU, have or will be doing the same.

The reason its in the media so much is for the average British citizen it would seem like a revolution, however for a data specialist or anyone who has heard the words GDPR, then it simply the same old story with a new title.

The only legislation in the Data Protection Bill that may be seen as different is that the U.K have elected to set the age of consent at 16, which is higher than some countries in the EU. However this is one of the only rules under the implementation of GDPR that the local government gets to set.

So keep calm and carry on with your GDPR compliance program.

Looking for a technology partner?
Let’s talk