The Essential GDPR IT Checklist
On 25th May, all other data protection regulations within Europe will be replaced with the EU General Data Protection Regulation (EU GDPR). Along with it comes large fines: up to €20million, or 4% of the organisation’s global turnover whichever is higher.
The GDPR does two things; It protects the data rights of EU citizens, and it protects their privacy i.e. their personal data. Anyone who does business within the single market will have to comply with it, so regardless of us leaving the EU.
In terms of IT, there are substantial overlaps. Robust, multi-layered security, in the name of protecting data, operating at network, device and user level, does much to protect the associated rights. Detect and respond should always be favoured over protect and defend. And the endpoints should be the starting point: both for device and for user.
For example: the right to be forgotten mandates organisations to erase all of a client’s data, including all copies, should they request it. This requires a data map covering what data is stored, where, and who has rights to it. The same could be said for cyber security. YOU MUST DO YOUR DUE DILIGENCE AND BE ABLE TO DEMONSTRATE IT !!
Here are the 10 essential actions you need to take before the May 2018 deadline.
Stage One: Audit the data you hold
The first stage is to assess your situation. By understanding what you have and where it is, you’ll have a better understanding on what you need to do to comply.
Audit your data
Identify “What Personal data you own”, where it lives, who has access and on what devices.
Audit your service partners
Make sure every service partner – cloud storage (inc offsite backup), email solution etc. – that has access to your data is also compliant with GDPR. Your IT Provider should be doing their own due diligence on your behalf.
Audit all authorised and unauthorised devices with access to personal data
Make sure you know every single device that has access to personal data – Local PCs, Mobile devices, Remote workers PCs and so on.
Stage Two: Access Control
The second stage is controlling who has access to this data and keeping track of who has access. Also having a strategy to prevent a single breach granting access to everything.
Ensure administrative privilege control
Make sure administrative actions are only taken by a select few, ensuring you minimise the risk of others gaining control of the network.
Ensure tiered access to personal data
Control access to data on a need to know basis. This should be based on the user, device and the network the request is coming from. Ask; Does the person need access to perform their job?
Ensure remote access and erasure rights for company data
Ensure your infrastructure has the ability to retrieve and erase data from all devices with access to personal data, especially in instances of loss or theft.
Invest in new, more secure devices
Look to implement robust security to detect and respond to breaches. Prevention is always the best strategy, but sadly not always realistic.
Implement a regular patch management solution
Not only traditional network defences – antivirus, antimalware and a solid firewall etc – it is essential to have a (preferably) cloud based patch management solution in place, ensuring all your third party plugins are up to date (Jupiter IT Provider this as standard with all IT Support Contracts).
Implement real-time detect and response software
Secure your endpoints with practical real-time breach responses e.g. quarantining or terminating processes and devices. Include a Security Information and Event Management (SIEM) tool.
Conduct in house employee training in cyber security
Jupiter IT can help with this if need be. 58% of cyber threats come from insider negligence or malice. In house training can show staff how to perform basic due diligence checks to ensure system aren’t compromised.
Aside from building security, these actions help to achieve compliance with the following key provisions of the GDPR
- Report data breaches within 72 hours; and prove due diligence in preventing them.
- The right to be forgotten: erase all of all personal data upon an EU Citizens request.
- Data portability: provide all personal data of an EU citizen in a format accessible to them.
- International transfers: ensure data is only transferred to other GDPR compliant organisations, or those within jurisdictions deemed ‘adequate’.
Discover how to secure and protect your business by contacting us here