6 Areas Of I.T. You Need To Make GDPR FriendlyBlogs
GDPR legislation comes into effect on the 25th of May, replacing the Data Protection Directive 95/46/EC, so now's the time to get your IT in shape.GDPR legislation comes into effect on the 25th of May, replacing the Data Protection Directive 95/46/EC. The change will enforce much stricter regulation that must be followed to avoid heavy fines. Companies found non-compliant with the new rules can expect fines up to 4% of annual turnover or 20 Million whichever is higher.
This is all now common knowledge but, when speaking to our clients, we find that's where it usually ends. Due to the extremely dense amount of information provided by the EU Parliament and the sometime very wooly definitions offered within it, deciphering the impact onto your business can seem a huge task. I hope in this blog to provide some more substantial and achievable goals to push you in the right direction.
As mentioned previously, ingesting the full meaning and therefore requirements of the GDPR documentation is almost an impossible task. Certain statements can be interpreted in different ways and caveats such as "Taking into account the state of the art, the costs of implementation and the nature, scope, context..." don't help to bring clarity at all. Unfortunately, it will only be when companies start to face fines and be called out on failure will we truly see any clarity or hard and fast rules.
At MTech we think then that the correct methodology to approach GDPR right now lies in justification.We may not know the exact requirements of how our users' computers should be protected but when the regulatory bodies come around we have the confidence that we can explain to them which technologies we employ as part of our strategy. What follows then is the 6 key areas we believe require attention as part of GDPR compliance.
Disaster RecoveryThe first area I would like to discuss would be disaster recovery. Although a lot of GDPR focuses on reducing the amount of data we hold against individuals, also being able to maintain the data we hold and prevent against data loss is a key area. Companies must ensure their backup and disaster recovery solution is reliable, secure and tested. Features including frequent backups during the day, encrypted backup files, multiple offsite copies of backup files and the speed of recovery are all requirements a protected business should value.
Cyber AttackNext into focus is protection against cyber-attack, preventing data breaches by properly protecting your environment is a major step to compliance. As I hope some of you already know, Email represents the largest method for cyber-attacks to originate from, statistics from anti-virus vendors report over 90% of attacks begin with a phishing email. It is key, therefore, that even with the most Tech-Savy staff members, the business must also protect them.
Employing 3rd party solutions is a good answer, this places responsibility for maintaining virus definitions and filtering incoming email data for any potential threats. This isn't simply a 'buck passing' exercise though, as these companies invest huge amounts of money and technology ensuring they deliver the service they promise, orders of magnitude more investment than a small business can afford internally!
Hardware & IT SystemsIn a similar vein, we must also protect our physical systems and hardware internally. Several IT best practices come to mind straight away here and hopefully should fall in line with what is already provisioned. Ensuring all machines are up to date with software updates, especially security-based Windows updates, having anti-virus software installed on every work machine with up to date virus definitions and having a firewall you know you can depend on, something like a Dell Sonicwall with proper network protection licensing rather than the useless piece of plastic BT provide when they connect your line!
Remote WorkersRemote workers present additional challenges, where we are opening holes in our perimeter security to allow these remote staff to dial in to the office from home or whilst mobile, we must make sure we follow best practices to minimise this risk. Spending time and money sourcing and configuring a strong firewall would be wasted without using secure VPN technologies with vulnerability free security protocols.
EncryptionCompanies should also address whether they need to implement device encryption, this technology would mean that, should a computer be stolen, it would be impossible for even the most talented hackers to extract your data from it without your credentials. Technologies such as Microsoft In-Tune are a good place to centrally manage this higher requirement on your company's machines.
That is an awful lot of technology to consider to mark yourselves as GDPR compliant however, the majority of it covers genuine risks to business that should be protected against. We should all be preparing our justifications and using GDPR as an opportunity to bring your business to a healthier, more resilient and secure cyber-state.
If you need any help with the technology or compliance discussed above, please reach out to our team!