IT Technical Essentials for Data Privacy Compliance
Overview
This article contains information about essentials for data privacy compliance. One of the fundamental tenets of most Data Privacy legislation is that a company must ensure that it has adequate Technical and Organisational measures to protect Personal Data that it holds. Whilst we strive to ensure that the system provides the highest level of data security, protection and backup, any structure is only as strong as its weakest link. You will need to make sure that your professional users uphold the same degree of attention to basic data security actions that you can expect from .
We’ve put together a list of the primary challenges to data security that you are likely to experience in your own environment. And if any of these end up being the source or cause of a data breach or a compliance failure, it could result in an expensive and potentially business threatening fines. For each issue, we have identified the simple actions that would mitigate the risks and in addition your team will benefit from smoother and more effective working, less interruptions and crashes of their machines and a more secure and stable IT environment in which to work.
As most jurisdictions introduce new legislation, they are bringing in much higher level of fines for non-compliance and there is significant focus on data breaches. If a data breach occurs then the company has obligations to notify the relevant authorities/parties and this is most likely to be the primary reason behind fines, investigations, audits and compensation claims. The most likely source of a data breach will be a hacker or unauthorised user gaining access to data by exploiting an unprotected weakness in your local systems.
You may already have an IT service provider to support you or you may look after all your needs internally. Either way, you need to have somebody available to ensure that your technical requirements are satisfied.
It could be argued that it is just as important to demonstrate your compliance as to comply. Following these simple procedures for your technical environment will provide a great demonstration of your company’s commitment to data protection and security.
This article is not a substitute for Legal Advice.
This article covers:
Make sure your machines are up to minimum specification
Limit the number of systems you use to store and process data
Reboot Your Machine
When you switch off your laptop or PC at the end of the day, the internal systems close down properly and take the opportunity to update and fully install any new security patches or clear out corrupted, problem or temporary files. Imagine if you weren’t able to go to sleep at night...how long would it be before you started to find it difficult to function? Give your machine the night off. It's also important to recognise that the latest version of is only installed after a restart of Outlook.
Run Windows Updates
In this world of bots, dark web, hackers and ransomware, it’s essential that you make sure you have the latest updates to your operating system. A virus or malware can spread incredibly quickly and the software companies are running to keep up. All the time you’re running without the latest patch or update you’re exposing your machine and your company to significant risks. If it feels a little inconvenient, just picture the inconvenience of coming in to find your machine locked by ransomware and all your files corrupted. Whole companies have been destroyed by this. In addition the failure to apply simple security measures may really count against you and increase the level of fines to be applied.
Keep Device Drivers Current
The drivers on your machine make sure all the hardware runs smoothly. If you run your Windows updates and regularly reboot your machine then you should be covered on this but you should also make sure that you have enabled the automatic driver updates that come with your hardware. If you’re running a Dell machine and you get the message to update a driver, make sure you follow the instructions. Don’t download automatic driver update utilities from the internet (these can make matters worse) but do use your manufacturers and software providers update facilities.
Run Microsoft Office Updates
Just as important as running the Windows updates is ensuring that your Microsoft applications are all up to date. There have been numerous incidents of bugs in Word or Outlook that could be exploited to allow access to your machine. That access could include keyboard logging to capture all your IDs and passwords, in which case every system you use could be compromised and that puts you at risk of being the source of a Data Breach. Running the latest Microsoft updates will also ensure your machine runs smoothly with other systems, including , as we always integrate with the latest versions to ensure we provide the most up to date features. It also minimises the risk of your machine crashing due to an issue with the Office software suite.
Run Virus Checker Updates
We certainly hope you have effective and updated anti-virus software. Again, this should be set to automatically update with the latest anti-virus, malware and Trojan horse detection and prevention tools. As we’ve already highlighted, the risk of a virus or malware is heightened if you don’t have the latest protection. New threats come out with alarming frequency and rapidity. Your personal data as well as that of your candidates and clients could be at significant risk if you’re not following good practice on this front. Again, that exposes your company to the risk of significant fines.
Check Your Network Speed
This is one that could have unintended consequences. If your office network speed is too low to begin with or when it gets to the peak of a busy day it slows down due to being shared across too many people, the most likely outcome is that your staff will find other ways to get around it. This may include saving data locally on their machines in other formats such as spreadsheets, or finding ways to work outside of the office, at home or in coffee shops, and relying on WiFi connections that may be insecure or exposed. All of these create the risk that Personal Data of your candidates is held on unsecured systems and in an uncontrolled manner, increasing the risk of a data breach.
If you have a wired Ethernet network system installed, it's worth checking that your users are connecting their devices (where possible) using the wired network, rather than still connecting via WiFi. In addition to this, it's worth running speed-tests on each network connection to ensure the connection is consistent throughout your office. As networks are often changed/added to over time, this can result in some users connecting using a different standard of hardware (e.g. network switches, daisy chaining of connections etc), compared to other users which can result in poorer network performance for a subset of users. We have seen examples of high speed network connections being inhibited by outdated network switches and routers, reducing the overall speed.
There are recommended minimums for network speeds and adhering to these is going to ensure your teams and lead consultants are more productive, as well as reducing the risks to the business.
Upgrade to 64bit Office 365
Click here for a Microsoft guide on the differences between 32 and 64 bit office.
Running the 64bit version of Microsoft Office 365 (if your machine allows) instead of 32bit means that your applications can access much more memory. This allows your machine and applications to work faster and more efficiently. This also means you can work faster and more efficiently because you’re not wasting time waiting for applications to load or dealing with PC crashes. The additional risk in a company of slow machines and laptops that crash is that staff are tempted to work on their own machines, either in the office or at home. This can mean Personal Data of your candidates starts to get saved outside of a controlled environment. Using 64bit is one of the best ways to fix issues with speed and crashing and is recommended by Microsoft, especially when you’re working with large datasets.
Make Sure Your Machines Are up to Minimum Specification
In the same way that low network speed and running 32bit can create a risk that staff will use other machines or suffer slow operating speeds and crashes, having poorly specified machines in your business creates an inefficient and risky working environment. We understand that it’s a costly investment and commitment to have the latest hardware and software but if you want your team to operate as efficiently and optimally as possible and avoid wasting time on avoidable issues, then it’s worthwhile. The lower specification a machine, the more likely it is to run into issues. We recommend some minimum requirements for a good system that will minimise issues (currently 8Gb RAM, SSD Hard Drive and Core i5 but watch for updates). You want your team to be using the best tools to ensure the best service and you also want those tools to support and encourage the use of the systems you invest in. As soon as your staff start to move outside of your operational system due to frustrations with hardware or software, you’re likely to be exposed to data privacy risks.
Limit the Number of Systems You Use to Store and Process Data
Finally, consider how many different systems your team may be using and how easy it will be to control, manage and monitor where data is held and processed across those systems. If you have consultants or researchers who are using shadow systems (their own CRMs), spreadsheets and note taking apps then you risk not having proper controls around the Personal Data that might be held there. That means you can’t properly assess the risks and that in turn exposes your company to the risk of data breaches or not being able to properly respond to a Data Subject Access Request. The more you can consolidate and optimise on one or a few core systems, the more control you will have over the personal data you hold. That’s a key requirement of most Data Privacy legislation, allowing you to ensure you have privacy by design at the heart of your business.