Data security 101: Steps you can take now to keep your data protected

resolution

2018 is an important year for data security. The General Data Protection Regulation (GDPR) signals a worldwide step-change in the way organisations must handle personal data.  Data protection regulation and sanctions have never been higher, and companies must now act to ensure their data security is up to the new standards, or risk hefty financial and reputational penalties.

So what fundamental steps can you take now to help towards data security?  We’ve pulled together five things you can do now to keep that valuable personal data safe:

 

1. Delete data

This one sounds obvious, but it’s also one of the most effective.  If you’re storing enough data to run a small server farm, you might want to ask yourself – “how much of this do I actually need?”. One way to keep personal data secure is to simply get rid of it, especially if the data is old, has served its purpose, or is no longer relevant.  

Encourage your staff to go through their own user accounts and tidy up any personal data contained within.  Get them to delete data that is no longer useful and move sensitive personal data into password protected folders or locations. For larger companies or those that have been operating for a long time, you will be amazed at the amount of sensitive data that can be found buried deep within the company network but is yet open to multiple users.  

A full system clean-up is a good idea, and a great place to start on the road to data security.  

 

2. Limit data portability / transfer securely

Have you ever sat down and mapped all the data streams coming into, and leaving your company? Chances are you probably haven’t. The fact is, most modern companies have many data sources entering and exiting their network daily, and one thing to keep in mind when striving for data security is limiting these sources on a need-to-access basis, especially when they contain personal data.  

Limiting access is fine, but what about the transfer itself?  If sending data on a regular basis using file transfer, make sure you use a securely encrypted transfer (SFTP) which is far more difficult for hackers to gain access to than standard FTP.  

 

3. Maintain a data register

Building on the point above, and in addition to keeping a map of data streams, it is advisable to create and maintain a data register.  This critical document should be maintained on a frequent basis by all key staff and contain information on what data is stored, where it arrives from and goes, how it is stored and for how long.  Finally and importantly, why is the data stored – i.e. for what purpose will the data be used?  All of these questions can help to keep an accurate eye on data security, and even mount a solid defence should the worst happen and your company is being audited by Regulators.  

 

4. Monitor data access and report breaches immediately

IT companies such as Dynamic Edge can work with clients to create proactive data monitoring systems which are designed to alert key staff in the event of breaches or unauthorised access to personal data.  GDPR-ready companies already have measures such as this in place, allowing them to act quickly when data is compromised.

It is now a legal requirement to report data breaches to the Regulator immediately, without delay, and when audited, it will work in your favour if you have proactive monitoring information in place and are reporting the situation fully equipped with the core information behind the breach.  

 

5. Update and act upon your privacy policy

You know that little link at the foot of every webpage that’s barely ever clicked and read even less?  Well, that just became a lot more important with the emergence of GDPR.  Your privacy policy is your company’s “agreement” with its data subjects and GDPR states that all subjects must now clearly opt-in to have their data processed by your company.  

A good privacy policy should clearly tell subjects how their data will be used, who will be processing it and have access to it, and for what period it will be retained. The latest data security regulations also state companies must respond to subject “access requests” within a set period with all information processed on the subject.  Subjects also have the “right to be forgotten”, where there must be equal or lesser effort attributed to having their data removed from the company database than added to it.  

Of course, the above steps are just scratching the surface on the path to complete data security. Dynamic Edge are data security experts and can help you map out a data security strategy that fits with your business goals.

 

Contact us and we’ll arrange a coffee with you to chat through existing case studies and how we might help you.