Updating your data protection policies for “unprecedented times”
Lockdown has brought us a whole new lexicon - unprecedented, furlough, Barnard Castle - and for many small businesses, a host of new technologies. So before we head off into the “new normal” you should make time to think about data protection.
Make sure you have:
Clear and concise policies, procedures and guidance for your team who are remote working. And most importantly, that they can access them whilst working out of the office. The noticeboard in the office probably won’t help right now!
The contact details of your Data Protection Officer or Lead to hand. If you suspect a data breach might have occurred you need to report it ASAP - the company has only 72 hours to report it themselves. Time is precious when it comes to GDPR compliance.
Carried out a Data Protection Impact Assessment on any new technology you are now using to get stuff done. Not sure what that is? It’s like a risk assessment for privacy. And we all LOVE a risk assessment right?! Right folks?!
Checked that all your online systems and documents are not set to public or accessible without a username or password. Even the team behind the new NHS contact tracing app forgot this one 🤦🏻♀️
Investigated if multi-factor authentication is available for the systems you are using and configured it where possible. (That’s the thing where you get a separate code sent to your mobile phone via SMS or something like Google Authenticator).
Got access to business-specific accounts. Don’t rely on personal email or messaging accounts for work activities. Your client does not want to be getting their latest invoice from firstname.lastname@example.org 🍷
Reminded your team to use the most up-to-date version of your remote access solutions including video conferencing, cloud storage, VOIP phone, chat apps, Tinder...
Prompted everyone to use unique and complex passwords, and to change them regularly. And no, 123456 is not unique or complex. In fact, it has the unique accolade of being the official “Worst Password Since 2013”. Put a reminder in your calendar update your passwords at least every 90 days 🗓
The ability to support your team and any company devices. Consider tutorials videos, webinars, lunch and learn sessions, buddy your geeks up with non-geeks to help share systems knowledge within your team. YouTube is a great source of free support content if your team is a geek-free zone.
Ensured that, where your team are using their own personal devices, they cannot inadvertently or deliberately move the organisation’s data into their personal storage. The details of 44,000 customers of a US insurance company were leaked in an unmalicious USB-stick-based whoopsy back in 2016.
Made sure that business data can’t be accessed by other members of the family if you or anyone in your team are sharing devices for PE with Joe Wicks. Joe-kes aside, the lockdown has exacerbated the digital divide in the UK. Many families do not have multiple devices from work from home, school from home, university from home, home from home...
A safe place to lock away work devices and print-outs when they aren’t in use, and a secure way of destroying paper copies of business data. A cross-cut shredder is ideal. If not we can recommend a dog or the weekend BBQ…
I know that not everyone gets as excited as I do about privacy. It’s not about just about compliance and box-ticking. The 4% of turnover fine for GDPR non-compliance does focus the mind for most. But for me, data protection is actually about respectful and responsible business practice. It’s something I love to talk about, simplify and sort out for small business owners. So if you’d like some of my time to talk privately about privacy then please do say hello.