When looking into GDPR and security, a key principle of the UK GDPR is that you process personal data securely using appropriate technical and organisational measures.
What is regarded as appropriate technical measures?
The Information Commissioner’s Office (ICO) outlines some technical measures that an organisation should consider, including physical and computer/IT security. Let’s take a closer look at this below:
It is important as a business to consider a few factors:
- The protection of the building – For example, whether you have the appropriate protection for the building security. As an organisation, it is essential to consider alarms, security lights, and CCTV.
- CCTV – Consider how the CCTV is disrupted throughout the site and the correct signage.
- Departmental access control – Staff should only be able to access rooms in the building that are necessary for their work.
- ID passes – Staff should only access the necessary floors within the building.
- Visitor’s protocol – Meaning any visitors should be registered upon entry and supervised by the staff member they are in contact with.
- Disposal of documents – Think about how paper documents are disposed of. For example, are they shredded? Are they removed offsite in confidential waste bags?
The security of your computer/IT systems is also an important factor:
- System security – What measures have been implemented to protect your security system? What are the processes put in place to ensure data is held securely?
- Data security – Ensuring appropriate access controls are in place and that data is held securely.
- The consideration of implementing information security incident planning.
- Consider the implementation of firewalls, malware scans, and anti-virus protection.
- Use tools such as password manager to protect systems.
- Consider Encryption and pseudonymisation (replacing information that could be used to identify an individual).
All Response Media Viewpoint
Poor information security can cause a loss or abuse of personal data. It is important to create security awareness within the organisation to avoid data breaches. Staff should be made aware of what is expected from them by providing them with policies and procedures and ensuring they have up-to-date training that can avoid breaches from occurring.