Please be aware that this document is still a work in progress and will be changing regularly over the coming weeks. Last Updated 17/04/2018.
GDPR from what we have seen is as much about the real world side of your business as it is the I.T side so please make sure you have got the necessary policies and staff training needed. On our site we will have links for 3rd party Companies that may be able to help assist you with the paper work & staff side of your business.
Below we have listed some generic and simple ideas we have used or requirements which may be needed to meet the GDPR, but also our procedures and security we have put in place or will be aiming to reach in the near future. This is made from seeking information from many different sources but also common sense practices found and seen on a day to day basis when serving thousands of small to large Businesses.
As well as some of our own ideas if you have any notions you would like to see added to this list or any improvement then please feel free to contact us as we are always looking at ways to improve. You'll likely find some points skim the surface so you will need to investigate them in deeper detail as every scenario will be different from our own.
***Please Note: The information contained in this document is only our opinions and practices we follow. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.***
Not only are browsers now requiring this but you should at the very least use SSL certificates to provide your site / app with a level of protection from hackers and malicious bots (automated hacking tools). Not only is this peace of mind for you but customers can be confident any data submitted on your site / app is securely transmitted to the server.
When storing customer information collected via forms or internal systems it is important for customers to now know where that data is being stored. Customers will need to made aware of who the server host is and the location of that particular datacentre. Customers can then make an informed decision whether you are allowed to hold their data in that location. For instance Ahead4 Limited have used OVH and their France datacentre, currently Ahead4 Limited use RedStation and their UK datacentre. Sharing any more information than this is a security risk, however, customers can now research that Company and make an informed decision whether that Company is right for their needs.
To Expand on this, think of it from a customer perspective; would you rather your personal data is stored in a shed on a completely open industrial estate or in a remote datacentre with 24/7 365 roaming security, CCTV, failsafe and breach protocols, security escorted and monitored non-site personnel, tall concrete walls etc. This goes for any and all third party applications for example with payment gateways customers will need to know who and where card information is being stored if you use map software with their location who provides this. You ideally want to ensure customers know exactly who and where every piece of their personal data go when interacting with your business, i.e. card information, name, address, phone number, email address, details of their reason to hold business with you (Car details, device details, details of their home etc.). Information generally isn't stored in one exact location so ensure customers know exactly who, where and why information is stored.
You now need to be completely transparent with your customers in layman’s terms exactly what their rights are regarding your terms of business and conditions that need to be adhered to. This includes their rights to their data and how destroying their data records may impact how you continue to do business (i.e. will they need to create a new account every time they wish to use your services). Policies regarding your business and how customers interact with it should also contain information on their personal data. So if your site uses cookies, what information is collected and why it’s collected and finally where that information is stored.
The footer of your website should contain information that is expected of a customer so your head office location, contact details, links to terms of the site and copyright information. You must supply these details, however, if you don’t wish to share your personal correspondence address, for example if you’re a new business operating from home; you can set up a P.O. Box address instead; see here for a guide on this for information: https://www.royalmail.com/po-box/.
Customers will need to be made aware if you are using an open source website solution and additionally a list of the plugins the site is currently using. Due to the open source nature of some web solutions and WordPress in particular methods of breaking into the site and stealing personal data are a weekly occurrence. In most cases, this is due to either using untrustworthy plugins of which due diligence has not been done and general user negligence by allowing a WordPress installation to become outdated and not taking the time to maintain the installation properly. The most common in particular is using a password that is not secure and allowing brute force attacks to be carried out very easily, you should at the very least use a proper password generator of which you can find here: https://passwordsgenerator.net/ or use a keychain such as https://www.lastpass.com/.
Email footers should contain at the very least the name of the business or logo the recipient is corresponding with, the registered address of the business and registration number, contact numbers /emails and legal information with links if required.
You can only acquire emails to mailshot/ market to through your own collective platform with clear intentions of how you will use their email. You cannot buy lists from third parties to market towards as doing this will open you up directly to heavy penalties.
You cannot market to customers that have not opted into being marketed. You will need to ensure newsletter signup forms specifically for email marketing include very clear links to legal information, checkboxes to ensure that have agreed to the terms.
If you do work for a customer, carry out a transaction for goods / services or create a quote etc then you may likely have a record of their email address which cannot be marketed towards unless they have specifically opted in. You will need to provide customers a link to the newsletter signup form with clear intentions of what this is for. Existing customers will also need to visit this form, otherwise the ONLY use for that email address is correspondence relating to a transaction or service you have provided or a customer service inquiry. You cannot share /sell this address or use it for marketing purposes as you now have full responsibility for that person's data and ensure it is used appropriately.
As an example, say that customer approaches you for a quote, you take their details down in order to send the quote out and then you put the paperwork together and send the quote across. Unless they have specifically given you permission you cannot follow the potential client up with another email as this is considered a form of remarketing. You also cannot add their email to a mailing list to remarket with but you may hold their information on file for a reasonable amount of time for example 14-30 days whilst you await a reply. After this period the information must be destroyed.
Customers should able to opt out of email marketing emails easily with either a clear email unsubscribe function added to emails. The alternative is customers should be able to contact you to get their email removed in an efficient manner.
Something very easily overlooked is if you have CCTV in the office, especially with one / two-way audio then you must be careful how this data is kept and stored especially if confidential phone calls or conversations are picked up. This is also the case with confidential documents with client information that can be easily viewed through high-quality CCTV systems.
With Dash Cameras; we made changes to our fleet vehicles in 2017 which meant all vehicles use a recording device. We realised that not only are we recording video but we were also recording internal sound from the cabin of the vehicles. This means conversations mentioning passwords and other confidential data were picked up on phone calls. We have since disabled this functionality as in the event of a theft, data is not stored on the device that could be used for malicious intent.
Recorded calls will no doubt have critical information mentioned at all levels throughout a business so ensuring that call recordings are stored securely is essential. Additionally, where are they stored, are they stored internally or do you use a third party for this service?
In the event one of those devices is stolen, how difficult is it to get at the information within the device? Ensure you use screen locks (the best two to use are fingerprints and unique passwords). Also look at what procedures you undertake to ensure maximum security of those devices ie. do you have remote access apps that can wipe the phone for instance? Just because the device has been stolen breaches can be avoided by ensuring you treat the incident in the most efficient manner. Please see the following guides:
https://www.androidpit.com/how-to-remotely-delete-android-phone-data
Most modern devices can have encryption software applied, so if the phone is stolen without the password the phone will self-destroy its data and firmware after a few attempts without warning. It will also render it completely useless but more importantly keep the data secure.
Laptops that store local data at the very least should have password protected login, however, from an IT perspective this is easily bypassed in a couple of minutes if you know what you’re doing. We only recommend proper encryption software because of this which makes it extremely difficult to get into the system. This is critically important if that device contains locally stored customer data. Some versions of Microsoft Windows have a free encryption option, however, we only recommend DESlock please see here for more information: https://www.deslock.com/.
When you are moving data to different online services, you should be using the most secure methods. Many marketing platforms, CRMs and modern third-party web software’s have API’s (Application Programming Interfaces) and direct synching methods over secure routing. We have found many customers don’t account for this and increase their chances of a data breach occurring in addition to human error by manually copying data or manually exporting / importing data between their systems.
It’s worth mentioning you should think about how you are copying data RIGHT CLICK + COPY or CTRL + F5. You can leave fingerprints in the memory of the computer by doing this. This is another reason manually copying data in an unsecured environment is very bad practice especially if you are not taking steps to either clear this data or not leave copied data stored in the memory.
If you absolutely need to transfer data from different location manually, and not via a secure network, we advise you investigate hardware devices that support encryption with password protection like the following: https://istorage-uk.com/encrypted-flash-drives/.
So you’ve had a data breach, something you probably prepared for and you have proper lockdown procedures? If you’re like the vast majority of Companies it’s likely something that may have crossed your mind and never thought about again. Well here’s a reminder, you have 72 hours before you MUST report an incident to ICO and what you do in those 72 hours will be the deciding outcome on whether you are legally allowed to resume trading or reinforce security procedures around your business to adequate levels before you can commence again.
To prompt thinking, consider the following when designing your unique procedure:
Who are the key personnel to ensure this happens with speed and efficiency?
Does your staff know what to do with a data breach?
Do you have the key personnel to investigate what happened and ensure full lockdown of the company is achieved?
Is all staff aware who in the Company will be carrying out detailed investigations?
Is staff aware in the event of a breach they will be locked out of the system until the investigation is over?
What data networks need to be turned off and secure?
Force logout / lockouts of internal and external systems?
What exactly was stolen?
How did they get in?
Were your passwords weak in the affected area; Password123 vs 3xhmCbURb5A2AFPX? More importantly are they encrypted?
These are good questions to begin with to ensure if the worst does happen you are able to shut down efficiently, you have to think outside the box and view each scenario from different angles; an attacker will be looking for an exploit. A relatively basic scenario; how do you know your mailbox for resetting passwords isn't breached; assume it is and use a fall back to reset passwords so they do not see the generated link. Most of the 72 hours will be a mix of figuring out what was taken and securing your network using new passwords and reinforcing the weak points.
So make it strong in the first place. Answering most of those questions will inherently allow you to put procedures in before a breach can happen.
So you are not only responsible for the data you keep and how you use it but you also need to be able to retrieve it or continue to supply it in the case of a disaster and that can be from as small as computer failure or an unusable office or location.
This would be a good time to check your disaster recovery plan and how quick you can get back up and running and how you retrieve the data from back up sites and services. Speak to us or your IT supplier to make sure you have this documented and recommended even tested.
This may sound simple but leaving information on the desk may be helping people gain access to your machine and you could even be meeting someone at your desk which exposes them to private information.
There have been cases over the years of people taking pictures or selfies at desks which can expose data/ customer sales figures etc. which they may not realise what is being shown.
We have been asked of the impact of using the above and although it is rare some models allow you to store documents direct to printer that can be seen at a later date or scans on the printer memory rather than the shared drive or local computer.
You may want to document where the data is stored or be careful when disposing of these units. We recommend to not use internal memory and store only to the company server.
We would recommend speaking to your printer supplier or IT dept.
Of course most people are aware of having a password and it may be time to check you are using the most modern standards and also we recommend that you talk to us / existing supplier to change the standalone Wi-Fi points to something like we offer which is a managed / hosted device that means they can all be kept up to date and security changes to the password can be applied quickly across multiple offices remotely.
As a minimum speak to your IT guy to make sure that the current equipment has the latest firmware/ software and whether it can be separated from your data network to supply only internet.
Hopefully you have a firewall on your network but we currently recommend that you speak to us about installing an End point protection solution.
This not only gives the commercial virus checker and local firewall but for just a few pounds a month it can all be managed and hosted remotely and give us up to date reports on the status of the firewall and virus checker as well as any recent threat spams and we are able to check that the operating system is up to date.
Please contact a member of staff for more information.
If the above opens up any concerns or questions then please book your current or Ahead4 engineer on site to go through further and make any changes in relation to your IT requirements.