GDPR and Cyber Security

Published on: 18th December 2018

The GDPR legislation that became law on 25th May 2018 has cast an even brighter spotlight onto the data security measures in place within organisations.

Although slightly more than half of all breaches occur as a result of internal, human factors, there are still many threats to personal data that can be reduced or eliminated by taking the right preventative measures.

In the audit of your personal data that should be central to GDPR Compliance, many businesses are discovering and acknowledging that there are weaknesses and vulnerabilities in their IT systems that could lead to data breach, and significant business disruption.

Here are some of the common themes that emerge through running a GDPR audit.

  • Physical Security - Are devices kept in locked rooms, or are they publically accessible? Are they left in cars or vulnerable places where they could be seen and stolen? Are they taken out of the office where they may be mislaid?
  • Encryption - If devices are mobile, like laptops, are they encrypted to ensure that data can't be accessed without a "key" even if it is lost or stolen?
  • Security Software - Are your devices protected with Firewall and Internet Security (Antivirus) software to reduce the threat from hackers, phishing and viruses?
  • Backups - Are you backing up your business-critical data? Do you have off-site backup to protect against theft and fire at your primary office location?
  • Single-Point-Failure - Do you have any critical data on a single device that would compromise the business if it were lost, inaccessible or destroyed? (Accounts information is often only on a single device.)
  • Device Life-cycle - Nothing lasts forever, so do you have a process for updating and replacing IT equipment when it reaches the end of its life? Hard drive failure can have the same net effect as ransomware.
  • User Management - Do you have processes in place to regularly update device login passwords, and fully revoke access for staff/colleagues who leave the business?
  • User Compliance - Do you ensure that your data protection practices are regularly reviewed and updated, and ensure that your staff/colleagues are aware of their responsibility for data protection?

These few key points are the tip of the iceberg for some organisations, and there will be specific IT systems that will require additional layers of security or a combination of approaches.

PYXI for GDPR helps you to audit the personal data stores on the devices you have in your organisation. 

Once you have this device-level overview it is easy to see which systems are weak and need attention, helping you to improve your business security and resilience around cyber threats.

Making sure your devices are secure and safe is central to avoiding data breaches, but should a data breach occur, these safeguards will also mitigate the damage caused to your business and the people you work with. Good IT security practices will also reduce the risk of heavy fines should a breach occur, as you are demonstrating active engagement with data protection, and not being seen to be negligent and careless.

PYXI GDPR Team: 18th Dec 2018 09:02:00