Last year, the run up to the GDPR left a number of businesses and charities in a panic as the 25 May 2018 loomed ever closer.
After the rush to implement and send emails attaching privacy policies and seeking consent, the panic died down and the fear of the GDPR started to lessen.
However, as IT and Data Security specialists, it’s our responsibility to make sure the GDPR doesn’t fade into the background now that a year has passed.
Why? Because we believe in being proactive instead of reactive. We want to make businesses and charities like yours as secure and compliant as possible, before you have to justify yourselves to the ICO.
As great as the news is at keeping us updated about the events of the world, the only companies we have seen punished so far are large corporations such as Google and Facebook, and as such, we have been lured into a false sense of security. This makes business owners like you and us, believe that we won’t be targeted by cyber criminals or experience a breach.
This is not the case. All business and charities are at risk of a data breach. So why not prepare?
Over the past few months our clients have been asked more focused and in-depth questions by their suppliers and customers. Considering these questions will help all businesses to assess whether they are actually doing what is required to comply with the GDPR and protect themselves from a data breach.
Can you demonstrate that you do the beneath and keep records of your compliance?
1. Are relevant policies and procedures provided to all employees, required to be followed in everyday practice and linked to disciplinary procedures? How do you record and achieve this?
2. What is your process for dealing with Subject Access or Data Portability requests within 30 days? Do you have processes in place to maintain the rights of the individual, within the time limits laid down by the Regulation?
3. Do you give new employees a briefing on their corporate and security responsibilities before, or immediately after employment, preferably reinforced by reference literature? How do you do this?
4. Do the contracts with all your suppliers ensure that they meet a set of security requirements that you have defined around handling data and keeping information secure? Please explain the requirements you have set and the reasons why you have chosen them.
5. Are only authorised personnel who have a justified and approved business case given access to restricted areas containing information systems or stored data? How do you achieve this?
6. How do you ensure that all your suppliers (including cloud providers and sub-contractors) follow information security procedures that are certified to be the same as, or more comprehensive than, the information security procedures followed by your own organisation for the data involved in that contract?
These are just a few of the questions that we are frequently asked from our clients. They might be the difference between keeping and losing a contract or fulfilling the basic requirements of a tender.