One of the most important aspects of GDPR is the IT element. This involves putting processes and systems in place to protect your data. This could be any data you hold about people, including your clients, staff and prospects.
If you experience a cyber breach, you will have 72 hours to let your clients (or anyone involved, such as your prospects) know. If you do not you will be eligible for a fine.
A fine from breaching GDPR’s Laws can be up to £17 million, or 4% of your global turnover.
What’s more, is that if you experience a cyber breach, but cannot prove you have taken adequate measures to prevent it, you can expect a fine. If you can prove you have adequately protected your data, you are less likely to receive a fine.
The consequences of not being GDPR compliant are high. We’ve created this list of 5 IT processes you can put in place to help become GDPR compliant. Best of all, is that you can implement these processes now, and for free. Enjoy.
Enforce a Strict Password Policy
While this may seem simple, it’s an important aspect to protecting your business. In fact, it’s even a question in the Cyber Essentials Plus Assessment, which is a government scheme that once achieved will ensure you're GDPR compliant for the IT side.
The password policy must include guidance on how to choose complex passwords. A complex password uses over 8 characters, has numbers and symbols and uses both upper and lower-case letters.
No one in your business should be using the same password on different accounts. The reason for this is that if one particular website that one of your employees is signed up with is breached by a cyber-attack, cyber criminals can use that same password on other accounts the employee may have, including your business. If the password is the same then your business can be easily penetrated.
Of course, it’s difficult to remember lots of different passwords, which is where LastPass comes in. LastPass is a free plugin that you can use whilst browsing the internet. It can create complex passwords and save them for you, so you don’t have to remember them.
Put a Payment and Transfer of Funds Procedure in Place.
Phishing emails that try to get you to make a payment or transfer funds to a fake account are incredibly common. Most businesses receive a few a week. Sometimes, they can be very clever and actually fool businesses. There are (too) many cases of businesses in the UK giving large amounts of cash to cyber criminals because of a convincing phishing email. For example, sometimes a phishing email can impersonate a supplier, or even impersonate the MD of your company, and email your staff demanding an urgent payment to be made.
Having a Payment and Transfer of Funds Procedure in place will prevent this from happening.
You should make your staff aware that changes to bank account details, or requests for payments, should never be done over email, and that if there is, it should be confirmed with a legitimate contact over the telephone.
Limit Individuals Access to Data.
One concern of GDPR is that not everyone should be given access to data unless they need to be. This is to minimise risk in case a breach did occur. There will probably be departments in your business that don’t need to access to all your client or prospect records. Each staff member should only be allowed to access the data they need. This will differ from company to company.
You can set up your systems so that only certain departments have access to the folders that they need.
Educate your staff on Cyber Security
You don’t need to pay for expensive cyber security training, there are many free resources online. The first thing you should do is to make sure that all of your employees know how to recognise a phishing email. Here is an article you should send to all your staff:
Implement Administrator Accounts
When you implement administrator accounts it means certain features of everyone’s PCs will be limited to administrator access. For example, installing new software will need administrator approval. This can be done by setting up certain rules. If someone at your organisation was to do something such as try and download some new software, a box will pop up requiring administrator log in credentials. If they want something installed they must get the approval of the administrator. This is a handy way to make sure no fake programs that may contain malicious content are installed onto your network and only legitimate, safe programs are installed.
Every company is at risk of data and security issues. Having the Cyber Essentials Plus Certification means you’ll be GDPR compliant for the IT side. To find out more please call us on 01273 806211 or email me, James, at [email protected]
Written by James Batchelor Managing Director