PRACTICAL TIPS FOR KEEPING YOUR DATA SECURE
Chattertons strive to give clear, comprehensive and practical advice – with that in mind, here are six helpful tips to assist your organisation in working towards keeping your data secure for GDPR compliance.
In order to comply with GDPR you will need to understand what data your organisation collects, processes and stores.
Data mapping is a key ingredient in achieving compliance. You need to recognise all of the data flows within your organisation. There is no set format for a data map, but as a starting point, it should identify:-
- All of the personal data your organisation handles;
- How that data is collected;
- How it is processed;
- Where (if any) locations it is transferred to or shared with; and
- How it is retained.
This applies to all personal data – whether held physically or electronically.
We often find that our clients’ are very surprised at the outcome of a data map as invariably they identify issues with personal data they had not previously considered.
Clear Desk Policy
A clear desk policy is a basic, but necessary step in ensuring your organisation is keeping data safe and secure - as required by Article 5 (1) (f).
Physical personal data should only be in a work space when it is required and it should always be put away at the end of each day.
A clear desk(top) policy is also a helpful step. This means that at any one time only the personal data you require is displayed on screen (especially in a shared work environment) and that work stations are always locked when unattended, with a strong and regularly changed password.
Keep Physical Data Secure
A clear desk policy is not enough to ensure you are keeping all physical personal data secure.
Any data not being used should be kept in a locked location (e.g. a filing cabinet, safe or strong room).
A record should be kept of who has access to the keys and codes to any such physical storage facilities and only those who need access should have it.
Keep Electronic Data Secure
You need to ensure that your organisation has sufficient and appropriate cyber security measures in place to ensure that you keep all of the personal data held within your servers and systems safe and secure.
If your organisation allows access to data from personal electronic devices, this should be reviewed urgently. The safest option would be to prohibit access to the personal data held within your organisation from a personal device (e.g. an employee’s personal phone or computer).
Your organisation should consider providing strong technological and organisational measures for those who need remote access.
If this is not practical, then sufficient steps must be taken to ensure staff personal devices are safe and secure when handling personal data that belongs within your organisation.
Remove Auto-Fill Functions and BCC
You should turn off email auto-fill and auto-remember functions.
This prevents the likelihood of a data breach (e.g. sending an email to the wrong person) and reduces the chance of your storing data within your organisation where you do not have an appropriate lawful basis for processing to do so.
If you are sending an email to more than one person outside of your organisation (e.g. a group email) you should always use the ‘blind carbon copy’ (BCC) function within your email system. This will ensure that the email addresses of all the recipients are not disclosed when sending out such messages.
The final step in keeping data secure is to ensure your staff are fully trained. It is important that staff are aware of the policies and procedures in place to keep client data secure.
Chattertons can offer training to your staff as well as regular ongoing training to maintain competence.
If you would like any further details in relation to data protection and GDPR compliance or if you would like to discuss your specific needs and requirements with a member of our specialist Data Protection Team, please contact your most convenient office or complete our online enquiry form on the left hand side of this page or, if you would prefer, contact a team member directly.