GDPR & Data storage
GDPR stands for General Data Protection Regulations which was implemented in May 2018. It was EU Directive that was then converted into UK Legislation which all UK companies now need (should!) be following.
The concern began when personal data was being used by companies other than for the purpose it was intended for. Ever had a cold call on your mobile from an unknown company and thought “where did they get my details from?!”. This is what it was designed to stop.
Most companies process data legitimately and should be following the new law.
As part of our service we have a full implementation process for company which covers the following:
- Assessments – data inventories, consenting matrixes, data flow maps and a legitimate interests assessment
- Information Asset Registers for both Clients and Staff
- Process Overviews for both Clients and Staff
- Policies – data protection, data sharing, direct marketing, information security, privacy, records management.
- Communications – making the correct notifications to stakeholders of the update in processes to comply with legislation.
All of the above is required as part of GDPR as of May 2018. Some companies have already fallen short of the standards and with a maximum fine of £20 million it’s not something that should be overlooked. Recent companies like British Airways, Marriott Hotels and 1&1 have already been fined multi-million pound fines for breaches.
Data is like hugely valuable and in most cases is what cyber criminals are attempting to obtain.
Guidance on data is generally broken down into three areas to determine your data storage security:
- What – what are you protecting
- Who – who is accessing the data, or more appropriately who is NEEDS to access the data
- How – how are people accessing it, what is the system design to access it and is it secure.
The best way to assess this is through Penetration Testing which we carry out for companies across the UK.