The new EU data protection law is fast approaching and yet a lot of us are still unsure how it affects us? If you’re an SME business and are yet to act, here are some key points to push you in the right direction:
Data mapping – Know what data you are keeping
The first step when tackling GDPR is to map out what data you keep. Grab a pen and note down all the places where customer and employee data is stored and whom and what programs (such as CRM systems) have access.
Security policy – Let your clients and employees know
In your terms and regulations, set out what client data you keep on file, and for how long; note that if you use 3rd party vendors and need to pass on customer data, it should be included in your terms. An example may be, if you use a courier to send out goods then the customer’s address will be passed to the vendor. It goes without saying this is an essential procedure for you to complete your contract of sale, you should be covered if it’s within your terms and conditions. The same applies with your employees, review the contracts of employment, make sure you are covered for the data you hold on them and checks you may do, such as email monitoring, CRV checks, or social media activity monitoring.
Security agreements – Know that your vendors are covered
Just as you need to protect yourself, you need to be sure your vendors you use are covered too. Obtain a copy of their data protection agreements to make sure they are compliant.
Data retention – Procedure for the removal of data
Data should not be kept indefinitely, formulate a procedure for the removal of data that has surpassed your retention policy. Note that the legal requirements for duration will vary depending on what data you hold.
Email marketing – Consent
Well this is a big subject, there are a lot of ways the GDPR relates to how you obtain data and how it can be used. I won’t be going into detail at this time, but I have 2 essential points for you to be looking at:
- Always have an ‘opt-out’ option of any marketing flyer or email.
- If you obtain a personal email i.e. email@example.com, request that they ‘opt-in’ to receive newsletters before adding them to a mailing list.
Brexit – Will we still have to comply with GDPR after we leave?
Yes, GDPR is a EU requirement, however even after Brexit, GDPR will still be applicable, as we will still have to deal with the EU.
I hope you found these basic tips useful, GDPR is essentially about transparency & accountability for the data you hold, if you want to know more, or would like to discuss if we can help you in your business, then please just get in touch.
Since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind. But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.
This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.
Our national focus must therefore be on two lines of defence.
The first is to limit the spread and impact of the attacks that have already occurred. Due to broad government and partner efforts, a variety of tools are now publicly available to help organisations to do this. This guidance can be found on our homepage – ncsc.gov.uk – under the title Protecting Your Organisation From Ransomware: https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance
We know already that there have been attempts to attack organisations beyond the National Health Service. It is therefore absolutely imperative that any organisation that believes they may be affected, follows and implements this guidance. We have set out two pieces of guidance: one for organisations and one for private individuals and SMEs which can be applicable regardless of the age of the software in question. It will be updated as and when further mitigations become available and we will announce when updates have been made on Twitter (@ncsc) and elsewhere.
Secondly, it is possible that a ransomware attack of this type and on this scale could recur, though we have no specific evidence that this is the case. What is certain is that ransomware attacks are some of the most immediately damaging forms of cyber attack that affects home users, enterprises and governments equally.
It is also the case that there are a number of easy-to-implement defences against ransomware which very considerably reduce the risk of attack and the impact of successful attacks. These simple steps to protect against ransomware are not being applied by either the public or organisations as thoroughly as they should be.
Three simple steps for companies to undertake which are also set out on our website (https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware) and can be summarised as follows:
Protecting your organisation from ransomware – NCSC Site
How does ransomware infect your system? Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking …
1. Keep your organisation’s security software patches up to date
2. Use proper anti-virus software services
3. Most importantly for ransomware, back up the data that matters to you, because you can’t be held to ransom for data you hold somewhere else.
Home users and small businesses can take the following steps to protect themselves:
1. Run Windows Update
2. Make sure your AntiVirus product is up to date and run a scan – If you don’t have one install one of the free trial versions from a reputable vendor
3. If you have not done so before, this is a good time to think about backing important data up – You can’t be held to ransom if you’ve got the data somewhere else.
In the days ahead, the NCSC, working closely with the National Crime Agency in support of their criminal investigation, and with international partners in both other governments and the commercial sector, will continue our round-the-clock effort to get ahead of this threat. We would like to reassure the public that resources from the Government, law enforcement and public and private sector organisation are working together to manage further disruption from the current attack and to increase protection against any further attacks in the coming days. The country’s security and law enforcement agencies are working round the clock to protect the public. Private sector efforts have made a very significant contribution to mitigate the cyber attacks so far and to prevent further disruption.