The G.D.P.R. imposes a duty on all organisations to report breaches of personal data i.e. whenever personal data is lost, destroyed, corrupted, disclosed, accessed without authorisation, accidentally lost, destroyed or encrypted by ransomware. It also imposes a duty to notify the individuals themselves. Besides being fined by the ICO, imagine having to tell a client that you lost their personal data!
Don’t worry, we can help you! Our founder has 24 years experience in the IT industry, including 5 years experience working for an ISP and a further 14 years running his own IT business. Data security is what we do!
What The Regulations Say
Article 32, Section 1 of the G.D.P.R. imposes specific duties on anyone holding personal data to “implement appropriate technical and organisational measures” to keep it secure, including:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."
Section 2 specifies that the level of security must prevent "accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."
Section 3 requires adherence to an approved code of conduct as or an approved certification mechanism to demonstrate compliance. We are awaiting guidance on this.
Section 4 requires the controller and processor to prevent unauthorised access to systems.
Compliant IT Systems
All our internal systems and networks are protected by the most up to date security features such as:
- Server monitoring 24 x 7 including service availability, antivirus updates, backup success, disk space and hardware health;
- Providing email Hosting using Office 365 (cloud based);
- Operating a strong password policy within our business.
Let us evaluate your IT infrastructure and we will recommend services and to help you to implement "appropriate technical and organisational measures" in order to comply with Article 32, such as:
- Installing encryption and antivirus on all your PCs/laptops;
- Monitoring your server 24 x 7 and managing them remotely. The checks include service availability, antivirus updates, patching, disk encryption, backup success and disk space.
- Running checks on hardware health;
- Running full system backups;
- Installing offsite data backups;
- Web filtering to reduce the risk of users bringing security risks into the business;
- Ensuring safe network management by installing a Draytek Business Class Router including an integrated firewall;
- Changing “firewall rules” to allow or block specific people from your systems;
- Patching your Draytek regularly with security updates;
- Sending you a report of where patches have been applied for G.D.P.R. evidence;
- Installing Office 365 to improve email delivery and service reliability;
- Managing you licences and mailboxes so you only pay for what you use;
- Installing email filtering to identify and reduce cyber attacks such as malware viruses, spam and phishing emails;
- Taking regular email backups and archiving;
- Installing a strong password policy implementation on your server;
- Reviewing your website in light of the G.D.P.R.
Our free 16 part security audit will provide you with the peace of mind that you have evidence to hand for an ICO inspection regarding Article 32 of G.D.P.R.