Data protection under the GDPR: where SMEs are most at risk
Written by Simon Morgan, HR Dept South East London and North Kent.
The General Data Protection Regulation comes into law on Friday 25 May. There’s been a huge amount of discussion recently about the consequences of non-compliance – namely a huge fine of up to €20m or 4% of your global turnover. The Regulation doesn’t discriminate according to size – as an SME, you have the same duty to comply as a large multinational.
With just two weeks to go until the Regulation takes effect, we thought we’d set out some of the most common data protection vulnerabilities that you should be sure to address.
- Lack of awareness
Many security breaches at SMEs can be attributed to a lack of awareness among employees; whatever security measures you have in place, your good work can be undone instantly by a member of staff who accidentally sends confidential personal data to the wrong person or clicks on a link in a malicious email.
Make sure that you have comprehensive cyber and data protection policies in place and, crucially, that employees are trained on them. Ensure that all employees understand that everyone has a responsibility for data protection, not just those with it in their title. Including data protection within each employee’s objectives is a good way to promote collective responsibility.
- Poor password practice
Poor password practice is the cause of many data breaches – whether they’re not updated regularly, the same passwords are used for numerous accounts, or simplistic words and references are used that can be easily guessed. Ensure stronger passwords by using private, certificate-based authentication, changing them at least 90 days, and using a combination of letters, numbers and symbols.
- Losing a portable device
Portable devices often hold a lot of sensitive data, which means they pose a real data privacy risk in the event that they are ever left on public transport or in a hotel. Although it’s hard to prevent employees accidentally leaving a device behind, there are ways to mitigate the damage once it’s happened. Set strict access rights to ensure that, should a criminal get hold of the employee’s laptop or other device, they would only be able to view a portion of the company’s personal data, and protect the data that’s held on the device by encrypting or pseudonymising it before it is transferred.
- Poor access controls
Many SMEs fail to adequately control access to systems. Passwords get shared too frequently, meaning that everybody ends up able to access everything, often including administrative privileges. This makes you vulnerable to a cyber breach and makes it very difficult to identify the responsible party if something does go wrong.
Make sure that you provide all members of staff with individual logins, only for the systems they need and to the level that they require, and review them regularly.
Ensure that you terminate all accounts that are no longer in use and automatically revoke the privileges of staff when they leave.
- Insufficient backing up
Despite your very best endeavours, no security solution is foolproof, and therefore it’s essential that you have all of your critical data backed up securely. Though more SMEs are now implementing backup solutions, it’s not enough just to set one up – you must backup regularly. Experts recommend backing up your systems offsite everyday, as well as checking the quality of the backups periodically.
GDPR is just around the corner and it’s essential that you’re prepared for it. Security solutions are an important defence, but nothing will work effectively unless your employees are on board. For help getting your staff GDPR-ready, contact Simon Morgan, The HR Dept (South East London & North Kent). firstname.lastname@example.org. Tel 0345 634 9154.