If you’re running a business you will definitely be storing and using personal data. That means you have obligations under the new GDPR rules. In my last post, Your Website and GDPR: Privacy Policy and Consent, I described what’s needed to get the online side of your business compliant. But what about any files, documents, or invoices, or any other records you keep? This post will explain ways to ensure your customer records are secure.
Know What, Why & Where Information is Stored
When you audited your business (you’ve done that, right?) you will have created a list of the types of information you hold, why and where. In all likelihood this will include some electronic files stored on your local computer and maybe also paper copies or other paper-based records.
For example, maybe you keep it all in entry in your Outlook address book, or you might have a customer-registration form, or a database entry in a CRM application.
If you’re creating electronic copies, are they backed up anywhere? Are you backing up to a physical drive or to the cloud? Is your cloud storage secure, in the EU, and GDPR compliant?
Any method of collecting or storing data falls under GDPR, so read on to find out ways to ensure your computer and any paper copies of files, and therefore your customers’ data, are protected and secured.
Storing Digital Records and Files
Using a Third-Party Tool
If you are using a third-party application, for example, using an application like Wave or Freshbooks to generate and track your invoices, you will have to check on the GDPR compliance policy of that company. Most companies are busy working towards compliance but the onus is on you to check. Because any software like that will require you have an account with a secure login process, as long as the company says they’re compliant, you’re probably good to go: just make sure your password is as secure as it can be. If you’re not using one of the many password manager tools, now would be a good time to start (although they come with their own risks, of course!)
If you’re not sure, get in touch. Most software providers are fully aware of the demands being placed by the new GDPR rules and are keen not to lose business due to non-compliance.
On your Computer
If you are keep data locally, on your PC, you need to know where this is so you can find it to provide it on customer request and/or remove it. And it needs to be secure. The question to ask yourself is this: if someone steals my computer, my phone, my iPad (or whatever piece of tech you store your files on) can the personal data of my customers be accessed? If the answer is yes, there are a few simple things you can do to lock that information down.
Encrypt Your Computer, Files and/or Folders
First, you need to ensure that your PC and the files you stored there are encrypted, which is just a fancy word for password-protected.
You want to make sure your PC is locked. Think about whether someone who finds or steals your PC could open it and start working without having to jump through any security hoops. Make sure you have a login password, pin, or fingerprint scan set up to enable access your device.
Then, make sure you have an encrypted folder specifically for any files that include customer data. There are several ways to do this: you can pay for software, you can use a ZIP or other password-protected archives in place of folders for customer files (a bit clunky, but it would do the job), or – chances are you can use software that is already installed on your computer, either bundled with the OS or as part of your internet security package. If you’re running paid-for software from one of the main internet security companies it’what’s available. For example, Kaspersky Total Internet Security provides a tool called Secure Folders and Comodo Internet Security has Protected Data Folders. No need to spend any more money. Bonus.
Secure your Backups
Backing up to The Cloud
If you’re backing up to The Cloud (think Google Drive or Dropbox) you need to ensure that their service is secure and GDPR compliant. More and more of us are using cloud storage these days, but as that will involve passing digital information from your computer to the cloud how secure is that really? Is encryption used when the files are transferred? Is it a US or EU based company? What happens in the event of a data breach? Where the data is stored?
And it’s not so simple as you think: lots of us use Google Drive nowadays and while it’s really easy to backup your files using their Backup and Sync tool, which is fine for your personal files, unfortunately (at least at the time of writing) it’s not a workable option for your customer files. Why? Because Google have said that unless you’re paying for the service as part of a My Business account, Google Drive (personal) is not GDPR compliant.
Backing up to an External Drive
If you’re backing up to an external drive, you need to make sure that access is encrypted. As with your physical computer, ask whether someone who took your drive could open it and access your files. Protected your device and your files in the same way you would on your computer.
Secure your Hard Copies
So much for the paperless office. We all end up with paper copies of some sort – and some of us prefer to keep records that way. If you are keeping records on paper, the question re security goes back to the what happens if someone accesses your files. In the same way that you are responsible for protecting electronic files, you’re required to ensure paper files are secure. With paper files that means keeping them under lock and key. That means getting a lockable draw or filing cabinet – ideally something fireproof, just to be sure – and locking them away.
And Last Steps…
Lastly, document it all. You should have all this in a single file as the result of your audit. If not, now would be a good time to do it.
Image credit: iStock.com/drogatnev
Disclaimer: This information is intended as guidance only. It is not a substitute for legal advice and is based on personal research conducted by the of the author. Ensuring your business is GDPR compliant is the responsibility of your Data Controller.
If you need help with this or any other aspect of your home or business IT, contact me to arrange a free consultation.