OK, it’s time to take a deep breath and get this underway!
The key takeaway from the research we’ve done so far is that we need to answer the question “Have I done everything that it is reasonable to expect to protect someone’s personal data?”
That’s a lot different to “What have I got time to do?” or “What do I want to do?”
We also need to be able to comply with the requirement to respond to a data breach within 72 hours. That is huge in itself – would you know if someone had copied a load of data on to a USB stick without permission and walked out of the building with it?
Straight off, I’m able to answer the following:
- Do we encrypt the data stored on desktops, laptops and servers? YES. This deals with someone stealing the physical devices and trying to access the data. Without a password to login, they won’t be able to access the data by removing the hard drive and plugging it in to another system.
- Do we back up all data and store it offsite? Centrally stored server data – YES, laptops and desktops, not all of them – YET!
- Do we have up to date antivirus software installed on all our systems – YES
- Do we apply all security patches to all our systems as quickly as possible (i.e. within a week or two of these updates being made available) – YES
- Do we monitor what people access and do with data – YES (but the alerting isn’t always as fast as I would like, but it’s usually within 48 hours)
- Can we do discovery searches on email and other centrally-stored data to comply with Subject Access Requests? Email – definitely YES; other data, centrally stored files - mostly YES; laptops/desktops - NOT YET
So that’s a good start. But we’re still not covering all the bases about what is reasonable to expect, and whether I could detect and respond to a breach within 72 hours. Hmm, need to think more about that.
There are a few outstanding things that we should be doing better:
- Do we control use of USB sticks etc to ensure the data is encrypted? NO – but I know we can do this and so will be setting policies to ensure users can only write to encrypted media.
- Do we force encryption of data transmitted in email attachments? NO – but I know we can achieve this with our Office 365 subscription, so we have time to get that actioned.
The first big task is to look at our business processes and identify where the data is, and who has access to it. This, in itself, is a huge challenge if you have individuals working off spreadsheets, word documents etc that are scattered all over the place. Getting these stored centrally is critical so that if you need to delete something, you can find it quickly. We are very much still in the “discovery” phase.
Fortunately, most of the personally identifiable data we hold is stored centrally in our main database, but I know there are a fair few spreadsheets knocking around for various reasons (e.g. lists of crew for event accreditations, client contact lists used by our Business Development team for arranging visits, and payroll processing data).
While we do tick one box straight away, in that we have encrypted the disks on all our PCs and laptops, that data may be saved locally. Finding it is likely to be challenging, especially if someone has inherited another person’s computer and has no idea what data that previous staff member may have saved there. At the moment, I’m seriously considering giving all our staff a couple of weeks to gather any data they need and save it centrally - and then just wiping all the computers. The time it is likely to take to check every computer and laptop for personal data is going to be significantly longer than just re-installing the operating system for the many computers we manage. We have the tools in place to enable us to knock a mass reinstall in a couple of days, compared to the weeks it could take to check every computer. It’s almost better to be safe than sorry; easier to start with a clean slate.
If you only have a couple of staff and a couple of computers to manage – the search and find approach is the one to go with, but when you have the best part of 100+ systems to investigate, it’s a whole different ball game (Heaven help the really big guys with thousands of systems!).
So that’s Getting Started Part 1.. My next post in this GDPR series will cover some of the other things we are looking at in this early phase.