Proper data protection, while not the most exciting subject, is an essential part of any business. Companies handling sensitive information like employee records or customer details must ensure it’s stored securely, and appropriately disposed of. When no longer required, payment details and financial data should be handled in-line with regulations, to avoid audit failures or, worse still, cybercrime.
New data protection rules come into force in May which impact on the way companies handle confidential information. The General Data Protection Regulation or GDPR is an EU regulation which gives people more say over what businesses can do with their personal data. It replaces the Data Protection Act 1998, and carries significant fines for those who don’t comply with it.
As a British company handling personal data, we’re subject to such rules and are taking all of the necessary steps to become GDPR compliant, including company-wide training.
Our Technology Director, Hanish Vithal, overseas everything we do at a technical level, and has these top tips to offer on the importance of sharing and storing data:
Have a defined Information Security Policy structure
An Information Security Policy structure offers oversight on a company’s information, systems, intellectual capital and shareholder value. Such policies help businesses operate effectively, by providing a framework for assessing risk. A typical IS policy is sub-divided into separate strands, and protects against things like theft, unauthorised access and improper use. Without one, businesses may be putting their personal data in danger.
Make sure your data is encrypted and pseudonym-protected
Many companies use cloud platforms such as Google Drive or Microsoft One Drive to store data, as they’re easily accessible and simple to follow. Cloud data is usually stored in an encrypted format, which makes it harder for hackers to obtain. Pseudonymisation is used as part of the encryption process, and works by replacing easily identifiable information in data with unique symbols or characters, unfamiliar to a potential hacker.
Avoid sharing passwords over email or storing them digitally without a password mechanism
In an ideal world, we would know all of our passwords off by heart and be able to recall them at the drop of a hat. But, seeing as this isn’t always possible, the best approach is to store them all on a password management system like Passpack. Password management systems offer strong client-side encryption, and can be accessed by multiple users at any given point in time.
Have back-ups in place
As a business, it’s paramount that you have a back-up facility in place in the event that your data is stolen, deleted or sabotaged. The best approach is to regularly back-up everything on a daily or weekly basis. Most companies opt for cloud-based back-ups, which are less labour-intensive and easier to manage.
Shred as you go
When printing off sensitive data in an office, make sure you handle it appropriately. If you’ve finished using it, shred it, or, if you need to keep hold of it for compliance reasons, store it in a physical folder that’s properly indexed and locked away.
Update your personal as well as professional devices
Everyone has some sort of computer device these days, but how many of us really take the time to regularly update them? Software updates, however annoying they might be, are there to minimise the risk of data leakage and system vulnerability. In some cases, they help correct bugs or improve the performance of devices. So, whenever you’re faced with a software update, take your time to familiarise yourself with it.
Use an online file storage service for sharing information
Online storage facilities like Google Drive are excellent for sharing and synchronising files securely. They can be used for creating as well as editing documents, spreadsheets, and presentations, in place of offline programmes like Word and Excel. Files that are too large to send over email can instead be stored remotely, and downloaded at a convenient point in time. What’s more, most facilities have a built-in search engine, allowing you to search documents by user.
Send links to files instead of physical documents
Where possible, avoid sending confidential documents on email. Instead, save them online in a file storage hub, and send a link to wherever they’re stored. This works particularly for video files, which are best uploaded and delivered using programmes like We Transfer or Send Anywhere.
Offer data protection training
What good is it having data protection principles in place as a company, if staff members don’t understand the importance of them? Anyone responsible for using data should have at least a basic grasp of what you can and can’t do when it comes to handling sensitive information. Good data protection training should take into account things like personal data and subject access requests.
Ensure those working remotely do so securely
We live in an age where an increasing number of people are either working from home or on-the-go. Which begs the question: how do you data-protect work devices outside of an office? Most companies nowadays use what’s known as a mobile management system to containerise computers used remotely. A mobile device management system allows you to populate mobile devices like smartphones and laptops with corporate information that’s then isolated from personal data for security reasons.