We are coming up to the long school summer holidays again. Many working parents will be juggling working from home and childcare.
It is easy to forget about data security when the weather gets hot, and our laptop in the park beckons.
Before we get started, here are some top tips on securing your data.
USBs and GDPR
If you are not storing any personal data on your USB, then the risk to personal data security is zero. You may have other confidential material you want to protect anyway, but there is no general obligation on you to protect your own secrets.
If you are using USBs to move personal data then you (or your data controller) will need to evaluate the risk of losing that USB if it is not password protected and indeed if it is not encrypted.
If you lose a USB containing sensitive personal data, financial sensitive data, or a large amount of data and it is not encrypted you are going to have a lot of work to do to notify clients and the Information Commissioners Office.
If your USB is not only password protected but also encrypted the risk of anyone being able to read it is incredibly low.
Whilst encryption itself not compulsory, it is relatively easy to set up automatic encryption of any USB you insert into your network/pc. It is an easy way to use the appropriate technology to reduce the risk of data loss.
Read your own rules too as many organisations now require you to encrypt USBs before putting personal data on them.
Dropbox and GDPR
There are two types of Dropbox accounts – personal ones and business ones (which you pay for).
Dropbox does encrypt data – see here . But if you change your document using a personal account you don’t have a roll back option. You may want to invest in a business account with all the roll backs and traceability that comes with that. .
Accidental deletion is still one of the top 10 data loss problems and personal Dropbox accounts don’t have a roll back feature.
Dropbox stores data in the USA (with appropriate Data Privacy Shields).
Is it permitted to email data between work email and home email?
If you are a Microsoft 365 user you will have access to Sharepoint, which is stored in the EU for UK customers and has roll back facility.
Emailing files to yourself and GDPR
If you are sending client data to yourself on personal email accounts you should check very carefully that you are permitted to do so.
Free email accounts are often not as secure as business set up (paid) email accounts. You will also find that you are a ‘3rd party’. Your clients have given your business permission to use the data and that may not extend to you sending it to your personal accounts.
Many mail servers are set up to automatically detect and block the forwarding of client data to personal email accounts. And many security rules make this a disciplinary, if not dismissal offence.
There is no legitimate reason for anyone to share data outside of the corporate emails, even if it is ‘with themselves’.
Your laptop and GDPR
Whether you use a USB or file sharing service you should be careful about downloading personal data to devices that are not owned/controlled by your business.
Most organisations will want to do some kind of security audit and check up of your equipment and you will need to sign agreements that give your permission for them to access.
The more sensitive the data, the more likely it is that your organisation will want you to work via a remote desk top and not download anything at all to your personal laptop.
All portable devices from laptops to phones that contain client data should be encrypted (just like the USBs) to avoid data loss if you lose the device. It is all too easy to access a smart phone or hard drive, even one that is password protected if you know how to do it.
Wi-Fi and GDPR
Your home WiFi may not be secure. If you have friends and family who log on (even if you password protect it) there is always the risk of a virus getting through to your various devices.
The same is true for working in coffeeshops or hotel lobbies.
Get yourself a VPN (Virtual Private Network) to ensure other household members or hackers can not see the data that passes through your router.
GDPR and risk assessment
You won’t find a government list of what you must do and what you can’t do. Ultimately data security under GDPR is about the Data Controller making a risk assessment by looking at what type of data is being used by whom, and where and what the risk of loss is and how this can be reduced.
The more personal and confidential the data, up to Special Category Data the more damage is done if the data is lost and the more care should be taken to secure that data and avoid a loss. Similarly the larger the scale of records you are moving around with the greater problem if it is lost.
Before you pop off home with a full set of client records to work on this summer, you should check with your insurers and find out what you are covered for (and what you are not). Like all kinds of insurance if you don’t follow their rules you can find you are not covered even if you paid a premium.
Enjoy the summer
Keep you and your data safe.