How safe is your company’s data outside your office? The General Data Protection Regulation (GDPR) comes into effect this month, affecting any organisation worldwide that collects or processes personal data on EU residents. Here, GDPR compliance experts advise you how to protect your business
If your company relies on remote workers, you already know how crucial it is to ensure that data isn’t misused, mislaid or misappropriated. Yet with the General Data Protection Regulation (GDPR) coming into effect this month (May 2018), it’s also important to ensure you’re meeting the regulation’s strict requirements – or face significant financial and reputational damage. So how can you protect data on the move while retaining the benefits of a truly flexible workforce?
1. Educate your employees
In the language of GDPR, your company is the ‘information owner’ and your remote employees are ‘information handlers’. “This means they have as much of a role to play in keeping your business data secure as you do,” says John Slaughter, MD of Data Comply(1). “GDPR compliance should become a priority in their everyday roles, particularly when they’re working remotely,” he adds. “Clear guidelines about using secure networks are key, so identify and communicate which records are restricted to a secure environment.” He advises businesses to regularly train, re-train and review employees to ensure they understand the issues and that their practices are up to date.
Businesses should also consider reminding staff that public WiFi is by no means secure. “An individual shouldn’t bank using a public network, so they shouldn’t access confidential work documents either,” says Andy Kays, CTO at threat detection and response specialist Redscan(2). “Encourage workers to use only Secured WiFi access points, or to connect to the company’s network via a secure (VPN) connection. It’s also good to connect to the internet via 4G (or dongle), which gives employees a good, secure connection to the service provider.”
2. Password-protect everything
GDPR will likely have the power to impose fines of up to four per cent of a company’s global turnover in the case of significant data breaches. The only exemption is if you can show the data was properly encrypted.
“There’s no such thing as foolproof security – even Nasa has been hacked,” says Romanian-based Andrei Hanganu, author of the EU GDPR Documentation Toolkit(3). “But strong passwords and adequate encryption solutions will help keep your personal data safe from unauthorised users.”
Most businesses have software in place to encrypt drives and any files that are saved onto them, but this doesn’t automatically apply to remote devices. Hanganu recommends providing the encryption software required for laptops, mobiles and personal desktop computers – then all the user needs is a PIN or password to access and unscramble the data into a readable form. All workers should be in the habit of password-protecting everything.
3. Stay clean
Viruses and malware attacks can collect and track data, which means they fall under the GDPR standard, too. “With malware so difficult to protect against, most businesses take the view that it’s not if, but rather when you will get hit,” says Nigel Tozer, Director EMEA Solutions Marketing at Commvault(4). He recommends ensuring that your employees’ devices are protected by the most up-to-date operating systems and anti-virus software.
“Humans are always the weakest link in an organisation’s security posture and there can be devastating consequences if a single employee clicks a malicious link or fails to update their system,” adds Andy Kays. “It’s therefore important to raise awareness of cybersecurity risks through regular employee training, particularly with remote workers who may be accessing corporate data and services from numerous devices, locations and networks.”
Businesses could also consider implementing regular sessions with the IT department, where workers bring in their mobile devices for regular security checks, updates, and upgrades.
Does your organisation have a strategy for keeping data safe once it leaves the office?
4. Remember visual security
“In a technologically advanced world, it’s easy to forget that there are still low-tech ways for people to steal your company data,” says Orlagh Kelly, Barrister and CEO of Briefed GDPR Training and Consultancy Specialists(5).
In an experiment conducted by 3M, an undercover hacker was able to obtain sensitive information purely by ‘shoulder surfing’ (looking at someone’s screen) in 88 per cent of trials(6).
“Encourage employees to be aware of who can see over their shoulder while they’re working outside the office,” says Kelly. You might consider issuing privacy filters which attach to a screen and block side views from those who are sneaking a peek.
5. Understand the limitations of the cloud
According to a Ponemon Institute study, 44 per cent of corporate data stored in cloud environments is not managed or controlled by the IT department. As a result, the study also reveals that the use of cloud services can increase the probability of a $20m data breach threefold(7).
“Choosing the right cloud provider is very important,” says Nigel Tozer. “You need to know exactly how they will handle a data breach, as there are liabilities on both sides. If all the data stays in the EU, your cloud provider should ensure they’re maintaining it in a way that’s compliant with your legal requirements. You should also check that any data leaving the EU is adequately protected with regard to GDPR.”
Tozer points out that when it comes to GDPR, while the cloud provider is the data processor, your business is the controller. “[This means] it’s your responsibility to check your provider’s credentials and make sure it offers sufficient guarantees to implement appropriate technical and organisational safeguards that meet the new EU regulation.”
6. Respect your employees’ privacy
If you currently use tools or tech to monitor the productivity of your remote workers, you’ll need to consider how to align your good intentions with a need to protect their privacy, says George Harris, GDPR consultant for DMPC Ltd(8). “[Monitoring your staff] is difficult to justify in a standard business scenario,” he says.
Under the GDPR standard, it’s tricky to monitor the devices of an employee (through keystroke logging or mouse tracking tech) without violating their right to privacy. According to the GDPR Article 29 Working Party: “Technologies that monitor communications can […] have a chilling effect on the fundamental rights of employees to organise, set up workers’ meetings, and to communicate confidentially (including the right to seek information)(9).”
7. Have a data-breach action plan
“A data breach can include anything from a malware attack affecting someone’s laptop, to an employee leaving their work phone on the train, to them inadvertently emailing records to a group using ‘cc’ rather than ‘bcc’,” says James Walker, MD of Jaw Consulting UK, which specialises in cyber security, data protection and privacy(10).
While your first instinct is to begin damage-control proceedings, under GDPR, the urgency of doing so is greater. “An organisation has 72 hours to notify both the affected individuals and the relevant supervisory authority of a data breach, including an analysis of the likely consequence of the breach, and the measures taken or proposed to mitigate the negative effects of such,” says Walker.
Remember those four per cent fines from earlier? That’s what could be at stake if you fail to comply. “The exemption to this detailed notification procedure is if you can prove that the breach is unlikely to result in a risk to the rights and freedoms of natural persons,” says Walker. “Showing that you have properly encrypted the data will go a long way and may remove the requirement to even report such an incident as a data breach.”
(4) https://www.commvault.com /