GDPR: 7 ways to get your ass covered
GDPR made people rethink their privacy. They are starting to get to know the legislation, their rights and they are not afraid to put companies to the test.
This legislation also made many companies rethink their data processing, data flows, access rights, contracts with third parties and more. In this article, I want to share 7 ways to get your company’s ass covered.
1. Manage your passwords
On a private level, but also on a business level, you need to implement a strong password policy. Your employees should be forced to change their passwords once every few months and they should have good passwords that are not easily discovered. Each application should have a unique password.
2. Adjust authorizations
Too many companies don’t block or change the granted authorizations and access rights of employees on their systems when they leave the company. They often keep their access codes. Make sure you block the accounts and change the authorizations and access rights when employees no longer work for your business. Additionally, not all employees should have access to all data. There are some really good technologies such as Varonis regarding access management based on Active Directory permissions.
3. Check the data subject
People are allowed to ask if and which of their personal data you process. But, not everyone has good intentions. You should definitely check whether they are who they claim to be. The data subject that is asking you about their personal data, should identify himself. Make sure you ask for proof. A copy of the front of their ID, or them logging in to their support portal or … might be a step in the right direction.
4. Control third parties!
Most of the time, there are also third parties involved who sub-process your data. To cover your ass, you should definitely conclude solid contracts with them with a clear GDPR coverage. You can also check them yourself by means of audits for example. Are they securing their data center? Are they checking their logs to detect abnormal behavior?
5. Provide professional security
You have to take the right security measures to protect your data. Register your data flows and make sure you can detect deviant behavior in the logs. Internal breaches should be avoided at all time. SecureLink provides services to know how well you are scoring with regard to security measures and gives you actionable advice through the SecureInsight Security Maturity Assessment. Go to our SMA page for more information.
Since data resides in the data center, you really have to make sure you have the right people, processes and technology in place to protect it. Same goes for the cloud. When it comes to cloud security, the cloud provider is not responsible for everything. You, as a company, have responsibilities too. Go to our cloud security page to check out who is responsible for what.
6. Make sure you patch
Unpatched software is a magnet for malware. You need to patch in time to avoid being compromised. Organizations could be held responsible for a security breach that relates to measures such as patches that should have been taken previously. How do you know which patches are a risk for your organization? SecureLink has a managed security service to manage your vulnerabilities. Go to our Vulnerability Management page to learn more about our SecurePrevent Vulnerability Management service.
7. Train your employees
Phishing, spoofing, dumpster diving, shoulder surfing, role play… Many companies think they have the right technology in place to face these social engineering attacks. But it requires people and processes too. One single inattentive employee (End User) can cause a data leak. It is therefore very important to train your End Users to be aware of the dangers of social engineering and the potential impact it can have on their company.
Want more info on how to train them? Go to our End User Security Awareness Page.