""
Security

Your Computer and GDPR: Secure File Storage and Encryption

If you’re running a business you will definitely be storing and using personal data. That means you have obligations under the new GDPR rules. In my last post, Your Website and GDPR: Privacy Policy and Consent, I described what’s needed to get the online side of your business compliant. But what about any files, documents, or invoices, or any other records you keep? This post will explain ways to ensure your customer records are secure.

Know What, Why & Where Information is Stored

When you audited your business (you’ve done that, right?) you will have created a list of the types of information you hold, why and where. In all likelihood this will include some electronic files stored on your local computer and maybe also paper copies or other paper-based records.

For example, maybe you keep it all in entry in your Outlook address book, or you might have a customer-registration form, or a database entry in a CRM application.

If you’re creating electronic copies, are they backed up anywhere? Are you backing up to a physical drive or to the cloud? Is your cloud storage secure, in the EU,  and GDPR compliant?

Any method of collecting or storing data falls under GDPR, so read on to find out ways to ensure your computer and any paper copies of files, and therefore your customers’ data, are protected and secured.

Storing Digital Records and Files

Using a Third-Party Tool

If you are using a third-party application, for example, using an application like Wave or Freshbooks to generate and track your invoices, you will have to check on the GDPR compliance policy of that company. Most companies are busy working towards compliance but the onus is on you to check. Because any software like that will require you have an account with a secure login process, as long as the company says they’re compliant, you’re probably good to go: just make sure your password is as secure as it can be. If you’re not using one of the many password manager tools, now would be a good time to start (although they come with their own risks, of course!)

If you’re not sure, get in touch. Most software providers are fully aware of the demands being placed by the new GDPR rules and are keen not to lose business due to non-compliance.

On your Computer

If you are keep data locally, on your PC, you need to know where this is so you can find it to provide it on customer request and/or remove it. And it needs to be secure. The question to ask yourself is this: if someone steals my computer, my phone, my iPad (or whatever piece of tech you store your files on) can the personal data of my customers be accessed? If the answer is yes, there are a few simple things you can do to lock that information down.

Encrypt Your Computer, Files and/or Folders

First, you need to ensure that your PC and the files you stored there are encrypted, which is just a fancy word for password-protected.

You want to make sure your PC is locked. Think about whether someone who finds or steals your PC could open it and start working without having to jump through any security hoops. Make sure you have a login password, pin, or fingerprint scan set up to enable access your device.

Then, make sure you have an encrypted folder specifically for any files that include customer data. There are several ways to do this: you can pay for software, you can use a ZIP or other password-protected archives in place of folders  for customer files (a bit clunky, but it would do the job), or – chances are you can use software that is already installed on your computer, either bundled with the OS or as part of your internet security package. If you’re running paid-for software from one of the main internet security companies it’what’s available. For example, Kaspersky Total Internet Security provides a tool called Secure Folders and Comodo Internet Security has Protected Data Folders. No need to spend any more money. Bonus.

Secure your Backups

Backing up to The Cloud

If you’re backing up to The Cloud (think Google Drive or Dropbox) you need to ensure that their service is secure and GDPR compliant. More and more of us are using cloud storage these days, but as that will involve passing digital information from your computer to the cloud how secure is that really? Is encryption used when the files are transferred? Is it a US or EU based company? What happens in the event of a data breach? Where the data is stored?

And it’s not so simple as you think: lots of us use Google Drive nowadays and while it’s really easy to backup your files using their Backup and Sync tool, which is fine for your personal files, unfortunately (at least at the time of writing) it’s not a workable option for your customer files. Why? Because Google have said that unless you’re paying for the service as part of a My Business account, Google Drive (personal) is not GDPR compliant.

Backing up to an External Drive

If you’re backing up to an external drive, you need to make sure that access is encrypted. As with your physical computer, ask whether someone who took your drive could open it and access your files. Protected your device and your files in the same way you would on your computer.

Secure your Hard Copies

So much for the paperless office. We all end up with paper copies of some sort – and some of us prefer to keep records that way. If you are keeping records on paper, the question re security goes back to the what happens if someone accesses your files. In the same way that you are responsible for protecting electronic files, you’re required to ensure paper files are secure. With paper files that means keeping them under lock and key. That means getting a lockable draw or filing cabinet – ideally something fireproof, just to be sure – and locking them away.

And Last Steps…

Lastly, document it all. You should have all this in a single file as the result of your audit. If not, now would be a good time to do it.


Image credit: iStock.com/drogatnev

Disclaimer: This information is intended as guidance only. It is not a substitute for legal advice and is based on personal research conducted by the of the author. Ensuring your business is GDPR compliant is the responsibility of your Data Controller. 

If you need help with this or any other aspect of your home or business IT, contact me to arrange a free consultation.

""
Tools & Tips

Your Website and GDPR: Privacy Policy and Consent

In my previous post, Are You GDPR Ready?, I suggested seven steps you should take to get ready for GDPR. In this post I’ll address numbers two and three:
How to Publish a Privacy Policy on your site to gain your user’s consent and Implement an Opt-In policy.

Publish Your Privacy Policy

Step 1:  Write Your Privacy Policy

Yes, the first thing to do, if you don’t already have one, is to write the policy. The new regulations advise businesses to use ordinary language so the best way to do this is to write it yourself. Take a look at the one on this site and also take a look at others, ideally for businesses similar to your own. Assuming you’ve done your audit already, you should understand exactly what data you have, how and why you use it, and where and how it is stored. All of that information needs to go into your policy document.

Step 2: Publish the Privacy Policy

To publish this to your site, create a new page for your website or blog and copy the policy text there.

It’s good practice to make this easy to find, so add a link to it from your website’s menu or somewhere out of the way but not hidden, like the page footer.

Step 3: Share Your Privacy Policy with Visitors to Your Site

If you have a website built around one of the many CRM platforms – Joomla, WordPress, SquareSpace, or Wix – the developers are ahead of the game, and there are a number of plugins that will make your work easier.

This site, based on WordPress, uses the plugin called GDPR by TrewKnowledge. It’s easy to set up and requires linking to your privacy policy page and some text added for the cookie consent popups. It has a bunch of other advanced features that you can use, if you need to.

Search Google and you can easily find similar tools for the other platforms listed above. If you’re not sure what any of this means, ask your web developer for help but don’t ignore the issue! It’s a necessary step in ensuring your site (and therefore your business) is compliant.

If you’ve got a static website, the simplest way to do this is make your new privacy policy page the landing page for your site. That way you know anyone who visits your site will have read it. Create a link to your main site, hidden behind the policy page, and require them to click link text that makes it clear that by clicking on the link to accept the site they accept the policy.

The downside of this approach is that it’s fairly unsophisticated: anyone visiting the site again will again be taken to the same policy page and will be required to consent on each repeat visit.

Implement an Opt-In Policy

If you collect email addresses for a mailing list or use forms, you need to ensure that users opt-in to any use of or storage of their data.

Opt-In to Mailing Lists

Most mailing list forms require the user to enter their name and email address before clicking a button to submit the form. Make sure that your text explicitly states how this information will be used (e.g., “in order to send you the weekly newsletter”, or whatever) whether or not it will be shared with or used by third parties, and anything else relevant to the person signing up in order that they can consent to it. You then need to ensure that any emails that are sent to the list, including any welcome message, makes it clear how the person who has signed up unsubscribes. That’s pretty standard stuff these days, but it’s worth checking that you have your house in order.

Opt-In for Forms

For contact forms, you must add a check box alongside a statement requiring consent for the data you provide to be used and stored. It’s also worth putting a link to your privacy policy but that alone is not good enough: you need to spell it out to the user there and then, in order that they can consent. An example of this is to say: “By submitting this form you consent to [company name] using and storing my information in order to respond to my inquiry.”

As with anything, there is more you can do but for small business and organisations it’s unlikely they will be necessary.


Disclaimer: This information is intended as guidance only. It is not a substitute for legal advice and is based on personal research conducted by the of the author. Ensuring your business is GDPR compliant is the responsibility of your Data Controller. 

Now read part 3 in this series.

In the next post find out how to makes sure files you create and store, on your laptop or other device, are secure.


Image credit: iStock.com/oatawa

Do you need help? Contact me now to arrange a personalised tech support or training session.
Zeros and Ones with a Padlock and text " Are You GDPR Ready?"
Security

Are You GDPR Ready?

What is the GDPR?

From May 28th the new general data protection regulations (GDPR), Regulation (EU) 2016/679, come into effect. These will give individuals far greater control over their personal data, with the scope of what constitutes personal data greatly enhanced to include:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

For businesses in or trading within the EU, this means much tighter controls need to be in place to ensure that the terms of the GDPR are not being breached. The full text of the regulations is available online from the GDPR Info website and is required reading for anyone who is responsible for data within a company of any size and all sole traders.

For small businesses, this may seem daunting, but there are a few simple things you can do.

7 Steps to Get Ready for GDPR

  1. Audit all the personal data you use or hold. This means information for customers, visitors to your website, newsletter or mailing list subscribers. This means data you hold or collect both on and offline.
  2. Publish a Privacy Policy on your site. This must be written in plain and readable language and clearly state what information you use and hold, why it is used, where it is held (if it is stored), and how individuals can request details about their personal data and also request its removal.
  3. Implement an Opt-In policy. For your website, this means you need to ask every visitor to your site whether they are happy with your Privacy Policy before they access the site and any information is transmitted.
    For any mailing list subscribers, you need to contact them asking them to confirm that they are accept your privacy policy and wish to continue their subscription.
    And any forms on your site need a consent button, so people know what information you will hold and an opt-in for any related mailing lists.
  4. Move your site from HTTP to HTTPS. This is vitally important if you run an online store or accept credit card details. It’s less of a priority for non-commercial sites but does give your visitors a level of reassurance and also has advantages for your site’s SEO.
  5. Update your Terms & Conditions. These must specify what data you hold, why, where, and how customers can find out about this. Communicate any changes to an existing policy to your customers.
  6. Document your Data Retention Policy. Know what you are storing where so that if someone asks what you are holding or asks for information to be deleted, you can easily find it and comply.
  7. Ensure all Personal Data you hold is stored securely. This means checking that any cloud storage you use is GDPR compliant (for example, Google Drive is not unless you have a My Business account), and any files that you keep in your home or on your laptop are secured, either with a physical key or with a digital one.

Now read part 2 in this series.

In this next post find out how to makes sure your website is GDPR ready by publishing your privacy policy and obtaining consent from new visitors.


Image credit: iStock.com/Matthew de Lange

Do you need help? Contact me now to arrange a personalised tech support or training session.