What better way to celebrate the day’s purpose of raising awareness of the privacy rights of individuals than to remind ourselves of what organisations should be doing for their workforce and customers to keep their data safe. These tried and tested top tips are not new, but more a timely reminder of what best practice looks like:
-
Train your workforce
Effective training, relevant to the roles of those being trained, which is both user-friendly and understandable in real life terms is essential. Not only will it help your workforce understand their responsibilities around processing personal data but it also shows your organisation’s commitment to compliance, which may have the added benefit of helping to build customer trust. Keeping an accurate training log is also a useful and effective tool to demonstrate that processes and training are in place should you ever need to demonstrate this to a regulator or a court.
-
Limit access to sensitive personal data
While many organisations consider who has access to what data as part of an audit or data mapping exercise, it is often written down and seldom revisited. It is essential to give further and evergreen thought to who has access to what data, especially sensitive personal data, and what permissions and controls are applied to this data. In most organisations it is no longer possible to connect a personal device, such as a memory stick, to the network, but we need only mention disgruntled employees and the Supreme Court judgment in Morrisons from last year to think about what the implications are when things do go wrong (see our article on this here).
-
Ensure strong password security and access controls
Following on from the above is the need to talk about password security. There are many websites available now that offer to check the strength of your password, often with surprising results about the speed at which it may be cracked. We all know not to use things that are easy to guess like abcde123, names of our pets or family members, dates of birth etc. but the drive for unique, increasingly complex and random passwords has also shown an increase in the need for some – dare we say it - to write them down! A balance between more secure two-step authentication (and other similar security measures) in combination with a unique and secure password is therefore crucial. Also ensuring robust access controls are in place at all times will make sure that people only have access to the personal data that they really need, which will help to limit data leakage.
-
Keep your security systems, processes, policies and controls up-to-date
We all know how fast the digital world changes and therefore how essential it is to maintain your data security. This is not only an issue for IT – it is an issue for everyone in your organisation. We may all have felt the temptation to delay a patch as the prompt appears when we are right in the middle of something but keeping your systems secure is essential. Article 32 of the GDPR states “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” so next time IT asks you to apply a patch – don’t delay, do your bit to keep your organisation’s data secure! Best practice also means keeping your processes, policies and controls up-to-date and accurate, making sure they reflect the reality of what is going on in your organisation.
-
Breach Response Plan
Should the worst happen and you experience a data breach you will want to have a plan in place to deal with it. Depending on the nature of the breach, you may have lots of decisions to make and you want to have a clear process in place to follow. You want to make sure those involved in dealing with the breach understand what constitutes a breach, how to categorise a breach and be aware of the methods available to address any potential consequences, while evaluating the risk effectively. Having a process to investigate the breach, respond appropriately to it - whether that is sending notifications to a supervisory authority or data subjects themselves, or deciding not to notify - will be essential. While the GDPR does not require you to notify banks, insurers, professional bodies, the relevant police force etc., having this step in your breach response plan will ensure it is considered and may help to minimise and mitigate the risk for affected individuals.
-
Robust vendor due diligence and contracts
It is vital to have confidence that, to the extent data is being shared outside of your organisation, it will continue to be protected. Equally to the extent that you are appointing third parties to supply or collect personal data on your behalf, you need to have confidence that such data has been lawfully obtained. Recent fines have shown that simply blaming the other party (even if they are solely to blame) is not enough to get you off the hook. Therefore you need to think carefully before appointing any supplier to process your personal data and/or provide you with personal data by ensuring thorough due diligence and not blindly signing up to terms.
What can we do to help
Our expert Data and Privacy team have significant experience of helping a variety of organisations with their data & privacy issues. Whether you’d like to keep up-to-date by signing up to our blog, attending our training sessions, e.g. LGPD and GDPR taking place this afternoon at 4.00pm, undertaking a GDPR Health Assessment or obtaining specific advice on data or privacy issues we are here to help. For more information on any of our services please contact Alexander Milner-Smith or Bryony Long.
Finally for those of you who would like to see how our Co-Head of Data and Privacy, Alexander Milner-Smith is celebrating Data Protection Day see here: