How ACT Systems can help…
GDPR requires that reasonable steps to be taken to ensure any personal data is backed up and only accessible by those with a legitimate need to access (you are also required to keep track of who these users are). Below are the key IT measures you will need to take to help ensure GDPR Compliance for your company:
User Access Rights (domain security)
Ensure that only users who require access to personal information are authorized. To ensure this, you will need to identify where you store personal data and limit access to these programs or folders.
Secure password policy
Passwords are an important aspect of computer security and are the front line of protection for user accounts. A poorly chosen password may result in the compromise the entire network. ACT Systems can help you implement a password policy that complies with GDPR.
You will need to ensure that all your IT systems are covered by suitable Antivirus/Anti-Malware software to protect data from corruption and security breaches etc. ACT Systems recommends ESET Antivirus products and can provide quotes for this where necessary
All data needs to backed-up using a system that ensures the security of the data, whilst having multiple recovery options. We recommend having a monitored local backup and an offsite remote backup solution. ACT Systems have a service that provides this and is priced on a per server basis.
Vulnerability Scanning & Patch Management
It is highly recommended that all servers and workstations should have some form of vulnerability scanning and patch management; this system should monitor the installation of security updates for Operating Systems in use and ensure the timely installation of necessary patches.
Failed Login Checks
Ideally, all servers should have an automated check for “failed logins”, a high number of failed logins could be a sign of a hacking attempt.
CCTV is covered by GDPR, as it technically holds a person’s identifying information. It is important to justify the need for CCTV and this should be documented (the extent to which monitoring is required, where it is required and at what times), in the workplace. It should be mentioned in an Employee Handbook along with the rights of the employees to access any information stored.
Any CCTV system installed by ACT Systems will be GDPR Compliant as it will store the data in an encrypted system accessible only via a strong password, but there also needs to be CCTV warnings on any premises to give people the opportunity to ask about coverage and data retention etc. For further information on workplace monitoring please visit https://www.itgovernance.eu/blog/en/how-will-the-gdpr-affect-cctv-and-workplace-monitoring/
Cyber Essentials ensures compliance with several of the points above. We strongly recommend you consider obtaining certification to show reasonable measures are taken to comply with GDPR from an IT Security standpoint. We can help facilitate the process but for more information on Cyber Essentials please click here https://www.cyberaware.gov.uk/cyberessentials/
Remember this is something your business can not ignore. All businesses, large or small will be affected in some way and preparation should be taking place now.
We are partnering with Moore Stephens LLP (www.moorstephens.co.uk), who are an accountancy and consultancy firm that has significant experience in advising clients in relation to GDPR compliance from an organisational perspective. Moore Stephens LLP can if required undertake a privacy health check to identify the gaps that an organisation may be facing the requirements of GDPR and can also assist in the remediation of these. In addition to this Moore Stephens LLP are also hosting workshops which will result in an organisation understanding the regulation better and be in a better position to identify the gaps going forward.
If this is of interest or you have any questions, please contact the Moore Stephens LLP UK privacy lead Christopher Beveridge for a no-obligation chat to discuss further. Christopher can be contacted on Christopher.firstname.lastname@example.org.
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now
Measures are taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.