In many parts of the GDPR it mentions “technical and organisational measures” to protect personal data. While the media are increasingly reporting about organisations being hacked, it is often the case that data breaches happen because of organisational failures.
The Data Guardians recommend the following simple and practical ways that you can put organisational measures in place to protect and secure the personal data your organisation controls and processes.
Internal Policies and Procedures
Senior managers need to demonstrate their commitment to data protection and data security and this starts with policies. For your employees to know what to do with these policies, they need to be backed up with detailed procedures, especially when dealing with the dights of the Data Subject, some of which are new such as the Right to Erasure and the Right to Portability.
Access Control and Compartmentalising Shared Drives
Many think of access control the physical security of the office but this also applies to your IT systems. For example, not everyone needs to have access to your HR or customer databases. The same applies to your internal, or cloud-based, shared drives. By making each department’s area on the drive only accessible to those within that department, you are already minimising the risk that the data held there being compromised.
Clear Desk Policy
How many times have you walked up to the printer to find a document lying there, which contains confidential or commercially sensitive information in it? At the end of the day have you seen paperwork on people’s desks that really should have been locked away, or at least hidden from view in a drawer? A clear desk policy is critical in securing confidential information.
One of the simplest ways of promoting data protection within your organisaiton is to train your staff. To be compliant you need to be able to demonstrate what actions you have taken to prevent a breach from occurring and that includes making sure employees have been properly trained on data protection and data privacy.
Implementation and Enforcement
In order for all of this to be effective there needs to be an implementation plan and formally ensuring that the policies and procedures are being adhered to is very important.
Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) need to be done whenever your organisation is considering a new processing activity, introducing new technology to process customer or employee personal data, or if the processing “is likely to result in a high risk for the rights and freedoms of natural persons” (Article 35).
Contracts with Third Parties
Many organisations will use other companies to process data. Whenever your organisation sends personal data to another there has to be data protection and confidentiality clauses within the contract. However having such clauses does not absolve the data controller of its responsibilities; it should be remembered that under the GDPR the data controller and data processor are jointly and severally liable for any damage or distress to a data subject.
Personal Data Breach Plan
Organisations have 72 hours from the time that they are aware of a personal data breach to inform the ICO. Unless organisations have planned for this in advance, they will struggle to fulfil this requirement properly and this failure will only exacerbate the crisis that they now find themselves in.
Come and speak to us!
These measures are really just a starter-for-ten but will set your organisation on the right path. The Data Guardians’ Managing Director Matthew Lamb will be at Naidex giving a seminar on life after the 25th May GDPR deadline and will be happy to answer any questions you can throw at him! For more information on The Data Guardians or to arrange a meeting at Naidex get in touch via firstname.lastname@example.org. We look forward to meeting you!
Follow The Data Guardians
Facebook: The Data Guardians
LinkedIn: The Data Guardians