General ‘Data’ Protection Regulation sounds like it’s all digital, but ‘data’ really refers to any form. So if you have Personal Identifiable Data/PID (names, address, email, phone, etc) in any format, on paper, on a spreadsheet then it all needs considering.
Leaving a print-out on your desk of customer information, or having it pinned to your wall as a sort of ‘helpful quick list of numbers’ would be a GDPR failure, unless you’re the only person to use your office and it is otherwise locked.
Make sure your filing box/cabinet has a lock on it, and that you actually lock it when it is not in use. If someone else could walk up to your desk, open the filing cabinet and take out papers then you’re not protecting that data.
Lock the office door if you can, even if you’re just popping to the toilet. It might seem unnecessary, but if little things like this becomes a habit then you’re far less likely to be prone to data loss issues because you’ve got ‘security as a habit’.
From experience, we know that many people store their passwords in easy-to-find locations – especially the back page of their journal/diary. It’s fine if you need to write things down, but make sure that by default they are locked away too.
This is also pretty simple, the focus being two-fold:
- someone can’t accidentally access PID
- basic prevention of malicious access
Someone shouldn’t be able to overlook your computer. So in your Data Policy you might put down ‘avoid accessing PID in public places’, eg. like in a cafe you might try to not go through everyone’s data to check it was correct.
Do you have a screensaver padlock on your computer? That is when you are away from your computer for longer than a minute it locks the screen and requires a password? It’s simple security that can stop most attempts at taking information.
When starting up, does it just boot straight onto the desktop or require a password first? Obviously it should require a password, and if more than one person uses the computer different usernames. If you use a family computer this is essential – sure your kids/partner probably don’t want to access any of that data but they shouldn’t be able to in the first place.
A little more advanced is a Hard Drive password, which typically involves setting it up when you computer turns on (before Windows/ Mac OS loads). This means that even if you took out the hard-drive it would be passworded.
Can someone (if they have access to your computer) just double-click and open up anything they list? If you have people’s information, like email and postal addresses, in a spreadsheet then it should ideally be passworded. Microsoft’s guide on passwording Excel spreadsheets.
You should have it. Yes Mac users, that includes you – Macs also get infected, the myth that they don’t is only because not enough people used them to make it worth a hacker’s time.
With that out of the way, do you know how to check if your Antivirus is on? Is it actually up to date or has that subscription run out? Find out, and run a ‘Deep/ Full Scan’ now, plus add it to your Data Policy that you’ll do that every month and put down the reminder you need.
The point being that you can password everything above, but if you let anything in from the Internet then it’s a bit like having a big hole in your ‘wall’. If you don’t have one/ need a new one, we suggest AVG Free.
Physical Backup Drive
This isn’t about the need for backups (which you do anyway right?), but about the vulnerability a backup drive can be. Eg. its much easier to take a backup drive from someone’s and have a copy of all the data!
So there are two things to check:
- When not backing up, consider locking away your backup drive
- If someone did take your backup drive, does it have a password? I.e. could they just connect it to thier computer and get all the data?
Some of the biggest fines for data loss have come from laptop and hard drive loss or theft, because then all the data really is in the hands of someone else potentially without any form of protection.
Even better would be if your backup drive allows for encryption out of the box, so that even if someone did get your backup drive they wouldn’t be able to access any of the data.
Similarly, USB sticks shouldn’t have any PID on them at all really, they’re about as secure as a bucket with holes. Use them to transfer a presentation but otherwise we’d suggest avoiding their use.
This is really the holy grail – that you have password protected access to your computer and PID but also all the data saved on your hard-drive (and by extension backups of that hard drive) is encrypted.
While there is a small computer performance penalty (it has to encrypt and decrypt everything coming to and from the hard drive) the benefits in terms of certainty that your data is safe -in our view- outweighs this.
Mac and PC are both different, and it depends a bit on your chosen operating system:
You can do this on older versions of Windows too for free, or with a cheap program. The one important thing to mention here though is Please Keep A Copy Of The Encryption Password!!