GDPR: Keeping data secure

By Mark Edwards, director, StoneHouse Logic

Information Security is an essential part of working to GDPR legislation. All your hard work following the new rules will have been for nothing if your data then falls into the wrong hands.

The Information Commissioner’s Office puts the responsibility on the company holding the data.

It says that you must ensure “appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

So what does that mean for a business like yours? The key phrase is ‘appropriate measures’.

One major component in your defence will be encryption. This means that even if data is lost, no outside party will be able to make sense of it anyway.

A prime example of this is laptops, as they typically carry data outside of the business. Encrypting these stops the data being read if they are lost.

There are also general best practice steps that you should consider taking for the overall security of your business.

Most importantly, don’t give anybody access to data that they don’t need for their role. Set specific access privileges for each user and each piece of sensitive information, and disable accounts if a user leaves your organisation.

Implement a written policy on the use of USB drives, laptops, and any technology that can result in data leaving your premises. Track all devices that leave the business, and ensure data is removed from all devices that are no longer needed. In some cases, access and data can even be deleted remotely. Crucially, each of these measures requires your business to know which user has access to which information.