GDPR; Don’t forget to lock up!
In all the chasing GDPR targets to get organisations ready for compliance with the new regulation which comes into force on 25th May 2018 (that’s not long now), whilst the focus needs to be on getting awareness raised, policies and procedures revisited, systems in place, and so on, many organisations we’ve met are forgetting the simple and yet equally important securities.
One look at the list on the ICO web site listing all the fines and penalties issued shows clearly that a significant number of the data breaches relate to poor physical security as well as poor conduct by people using mobile technologies (although some of that blame can lay with poor IT Security policy enforcement).
To start with, making sure that doors have proper security and that staff obey door security controls like, not allowing someone they do not recognise to follow them through a security door.
Then there’s the worker having their breakfast in a hotel; laptop open and logged in on the table, and then they simply walk away to the buffet bar to get their food without a CTRL+ALT+Del in sight to lock the laptop.
The worker who copies data onto a USB data stick which is not encrypted and then not only loses it, but fails to let the organisation know what they’ve done.
The filing cabinets containing personal data which no-one locks because it’s ‘annoying’ having to get the key each time.
When an organisation starts to do its GAP analysis and Data Flow Mapping, it really ought not to ignore all the security systems and not just all those that are software based.
Making sure that doors have the right strength of door locks, security grills if needed and that staff enforce the need to challenge unknown individuals following them through doors.
Workers need to lock laptops and desktop PCs when they walk away from them, even in their own organisation, and do not tell others even the bestest of friends what their passwords are. Organisations also need to ensure all mobile technologies are encrypted, laptop, tablet, data stick, etc. it does not matter, get them encrypted. Make sure the organisation controls the mobile phones so that they can be remotely ‘killed’ if lost.
Enforce paper data security and use lockable filing cabinets and cupboards.
Apply data retention policies to all data, in all forms; delete it or destroy it when it’s no longer needed and don’t keep it ‘just in case’, there’s no ‘Just In Case’ lawful basis under GDPR.
And the best thing any organisation can do is develop a ‘no blame’ culture so that staff feel more comfortable about coming forward when they make an error so that the breach can be nullified, and they also feel like they will be listened to when they spot flaws in security, and speak up to get them changed.
Remember, GDPR is not all about the digital stuff, don’t forget the physical equipment, door locks and staff conduct.