What is GDPR
The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for services. In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data and introduced hefty penalties for organisations that fail to comply with legislation and report data breaches.
How it Affects You and Your Business
As GDPR is mostly just a stronger take on the current Data Protection Act, there may not be much you need to do in terms of your Business, however below is a short list of what you need to be aware of and have in place to be GDPR compliant:
- Password Policies – all your staff should have a password policy lined out and a regular interval to change these passwords.
- Data Encryption – we recommend portable storage devices and laptops are encrypted using methods such as BitLocker or other paid software. This ensures that if the device is ever stolen and the contents of the hard disk is attempted to be read, none of the information is accessible.
- Access Permissions – when accessing data on you servers, people should only have access to what they need for their job. Employees should not have access to sensitive or confidential information unless necessary.
- SSL Certificates – if your website takes orders and stores customer information in any way then it should be encrypted by using an SSL Certificate, this provides an encrypted connection between your website and the customers preventing any data being siphoned during the form submission.
- Remote Access – if you use remote access within your company, it’s good to make sure that you only allow the staff who really need it to access this, also we recommend that the connection is made via a VPN that is encrypted or similar service.
- Data Storage / Transferral – This pertains to the movement of data within your organisation. This should be carried out in a safe manner that is encrypted and reduces risk of a data breach. For example, uploading files to SharePoint or OneDrive for a staff member to access them on a train rather than using a USB stick that could be lost or left somewhere, unless necessary and encrypted.
- Acceptable Use Policies – the information related to the acceptable use of corporate machines and access within and out of the organisation needs to be plainly laid out as a policy when logging onto a machine or as part of their contract of employment.
- Consent – get consent from customers for any email marketing you undertake, and from employees for the personal data kept on file (easily added to contract of employment).
What Data Red Eight Holds for your Company/Customers
Red Eight does not hold any of your customer information in an accessible way, the only time we may have a copy of information that relates to your customers is in our Off-Site Backup service (although we strive to delete any personal data not crucial to backups). This is a service we provide to most of our Clients and the backups are transferred via an encrypted service.
We may store any of the following information for your Company:
- Passwords for your website(s).
- Passwords and access to accounts associated with your website, such as plugin or theme accounts.
- A domain administrator login for your Organisation, allowing us to access all company resources and the ability to change User passwords on request.
- Contact details for people within your Company.
Please note, unless stated otherwise in your contract with ourselves, we may have access to sensitive information stored on your company servers. This should be stated clearly in any GDPR documentation of your own. If you require we can sign a GDPR disclaimer for you, to declare in writing that we have access to your Server, equipment and data exclusively for website support needs.
What to do in the Event of a Data Breach
In the event of a data breach, (any form of access to data where the individual is not authorised to do so, including hacking, data loss or virus infection that threatens personal data) the Information Commissioners Office needs to be informed.
When Contacting the ICO you need to follow the below steps.
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
- Communicate the name and contact details of the data protection officer (designated contact within your business responsible for reporting breaches etc) or other contact point where more information can be obtained.
- Describe the likely consequences of the personal data breach.
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The above is extracted from the ICO website.
As your Web Services provider, Red Eight is here to offer you a helping hand in the process to becoming GDPR compliant, though it remains each company’s individual responsibility to ensure their business is GDPR compliant. If you need our help to review the permissions and folder structure, or encryption on portable devices etc. please get in touch with us and we will help you with these matters.
RED EIGHT CONSULTING LIMITED