The data audit: where do you store your personal data?
How do you keep it safe and can you get it back post-disaster?
The Data Protection Act 2018 (DPA) requires organisations to “know” where it stores its Personal Identifiable Information PII. That it is secure and that your systems are robust enough to recover your data in the case of a disaster.
What does this all actually mean?
Know where you store it.
Well, you need to actually know what data you have and where it resides.
For example, is stored on a PC? Server? Online?
Is it in a database? Spreadsheet? Email? Where do these reside? How many devices do you have? Is it on all of them?
Let’s drill into email accounts for a moment. How many email accounts do you have? Like many people, you may have more than one. Probably one of them will be a personal one. And do you store any company PII on your personal account? Have you looked? How can you be sure?
I am drilling down because this is every organisation’s responsibility to do.
Imagine your personal email account is hacked and you have organisational PII – the ICO will take a very dim view if it!
Without a full audit, how can you know what you have?
And that’s just you. What do others in your team do? Do you know? Do they save work documents, for example, on their personal Dropbox account? Pen drive?
What is important, is to have a consistent process and agreement in place: a data protection policy that your organisation enforces.
Is it safe?
What we’re talking about here is protection from an outside party gaining access to your systems and data.
This would clearly include an antivirus application but this, on its own, is not enough. For example, what is your password policy like? Does it have a minimum number of characters, some of which should be symbols etc… you do have one don’t you?
Do you have multi-factor authentication switched on on all your key systems (where it exists)?
Firewalls are important as blocking any unknown or un-needed network traffic immediately reduces your overall risk.
The weakest link in IT security is human activity. The least IT-savvy person in your organisation may not know what a phishing email looks like nor that a password like tiddles1 is not safe.
Unlike computers and apps, we humans are fallible, make mistakes and can be distracted by any number of other demands on our time – and this where a breach or attack can take place because of lack of awareness and preparedness.
Can you get it back?
One dead PC with the single copy of a spreadsheet that took three hours to write is likely to cause exasperation at the time it will take to painstakingly pump all that data back in.
But consider a device that has hundreds or thousands of files that has been zapped. It’s not realistic to recreate them all – and probably not actually possible… do you really need that stress?!
Of course, the loss could be external, via a cyber-breach and ransomware attack.
Are you ready? Can you get the data back? Are you sure? When was the last that you tried?
Back-up strategies are vital to ensure smooth running systems. A lack of one could mean that in the event of data loss, not only would you not be able to function as a business, you may be liable for prosecution.
While the DPA is designed to encourage organisations to manage and protect their data and systems, they also take a dim view on those who have failed to put into place a plan.
ITGUYS can help you with managing these issues plus create a system to ensure that you remain on top of them and also to demonstrate compliance to the ICO if this should ever come to pass.