GDPR and the IT Professional

Written on 21 October 2019.

This Month: The IT Manager…

Welcome to the tenth article in our series of professionally-themed insights for 2019.

Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.

This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you IT Managers out there.

We hope it makes your GDPR life that little bit easier.

Dear IT Manager…

We bet you love data protection – as if you didn’t already have enough to think about maintaining a secure and smooth-running IT network!

But whether you work in-house or are outsourced, your GDPR responsibility remains the same: ensuring the safety of the data your systems and users handle.

So, here’s some basic guidance and gentle reminders on how best to incorporate good GDPR practice into your IT role…

1. In-house or outsourced, you need to get it right!

If you work in-house then, ideally, you’re already an integral part of driving good GDPR practice and championing compliance across the business – from both data controller and data processor standpoints. Essentially, you need to have a thorough appreciation of pretty much everything, including applying the correct lawful basis for storing staff and client personal information, mapping all your data so you know exactly what you hold and where, and providing a clear and easy-to-read overview of your data protection responsibilities in the company’s Privacy Policy.

If you provide outsourced IT, although you’re not the data controller (that’s the company for whom you’re providing support), you still need to know your responsibilities as a data processor. The best data processor-data controller relationships tend to be collaborative ones so it’s worth investing in this. That way, nothing will get missed between you. And, by knowing exactly what your GDPR responsibilities are as a data processor, it’ll be much easier to remind your client of their responsibilities as the data controller – and, ultimately, ensure that they’re not inappropriately passing the buck to you!

For instance, how robust is your client’s approach to data protection and compliance? Knowing that they’ve comprehensively mapped their data (see above) not only reflects a good attitude and commitment to best practice, it also ensures that they’re on top of everything; they can justify exactly why they do it, how they do it and where they do it – even to the extent of others’ involvement. And, just as importantly, so that you’re not left to fill any gaps.

Having a contract in place too is a great way to ensure that both parties know what’s expected of them and, remember, all admin rights should always belong to the data controller…

Do you know your GDPR responsibilities?

2. Check for vulnerabilities in your systems.

Once you have all your GDPR fundamentals in place, there’s a lot of benefit to stress-testing your systems and processes to see how well they stand up to scrutiny.

With the GDPR, there’s no such thing as being over-prepared. A Data Protection Impact Assessment (DPIA) helps take your contingency planning up a notch by building a risk profile and safeguarding against the unexpected. It’s particularly valuable if you’re building databases, helps you to rationalise what’s being collected and why, and how best to handle the inherent data breach risks that come with the territory.

How well have you mitigated against potential risks?

3. It’s much much better to be safe than sorry (or IMMBTBSTS!)…

You’d think that this would go without saying but there’s a good reason for including this. Even when a DPIA has been carried out for the big stuff, it’s often the more minor or innocuous things that get overlooked or catch people out. Like passwords, viruses and phishing scams.

Don’t be the Equifax senior manager who decided that the best password for protecting highly sensitive data was ‘adminadmin’! Instead, hand out or recommend (insist upon!) complex 10-digit passwords as a minimum.

And while you’re at it, make sure that you have the latest software, anti-malware and anti-virus programmes installed, as well as alerting staff to new phishing scams that may be doing the rounds.

How proactive are you promoting secure data protection practices?

4. Ensure additional safeguards for all portable/remote kit

In addition to giving recommendations on password usage, ensure that any portable IT devices supplied to employees are kept secure. Consider encryption and regularly updating login details or introducing 2-step verification; and, in the event of a device being lost or stolen, ensure that a remote wipe function has been installed so that no sensitive information can be accessed.

Even if employees are expected to provide their own devices, you can still recommend the above practices – particularly if they’re using them for both work and personal purposes. Additional protection may involve having a separate login or portal for them to access work platforms and data from personal mobiles, laptops and PCs.

How secure are your employees’ IT devices?

5. Be prepared so that departing employees leave with nothing more than good wishes…

Unless you’re extremely well organised, you can easily lose track of who has what equipment and what they have access to – even in relatively small companies.

So, keeping a detailed and updated inventory will help you stay on top of this. Not only will it prove particularly helpful when an employee leaves (especially if they’ve been with the company for a long time), it can also be combined with a comprehensive checklist to ensure that everything’s been returned and actioned accordingly (e.g. access permissions cancelled, assurances re deletion and non-storage of company files – extremely important if it’s a personal device that was used for work and which then goes on to be sold privately).

Are you aware of where all your IT kit is and who has access to what?

In-the-Know… Summary

The Need-To-Knows

• Know what’s expected of you as a data controller and/or processor.
• Check for and address any weak links in the system.
• Always have a data breach action plan – just in case.

The Good-To-Knows

• Routinely map your data so you know exactly what information you hold and where, and who else has access to it.
• Regularly review and install the latest software, anti-malware and anti-virus programmes, and ensure portable devices have a remote wipe function.
• A proactive approach to password generation and security is always time well spent.

The No-Nos!

And whatever you do, please…

• Discourage lax security measures amongst users and ensure that no records or files are inadvertently retained when an employee leaves.
• Don’t dismiss GDPR or not find time to take it seriously.
• Don’t put off asking for help if you need it.

Help and support is only a quick email away

If you’re all sorted with your GDPR IT practice and responsibilities, congrats!

However, if you’re not quite there yet and need a hand to make it less of a miss and more of a hIT, get in touch.

Not only will we help get you on track with how you approach the GDPR, we’ll also make sure that nothing else containing ‘IT’ hits the proverbial fan… ?

Until next time…