By Jean Evans | Highline Office Technology
Although the ramp up to #GDPR (General Data Protection Regulation) has been on the cards for the past couple of years, I think most companies and most people haven’t really started to take note until the past few weeks. It certainly wasn’t on my radar until relatively recently, but since then, I’ve made a concerted efforted to get upskilled so that I’m in a position to help guide our company and clients, particularly where it pertains to their office equipment. But one thing I’ve found, is that all courses talk about the background and context, in isolation. Now don’t get me wrong, we all need to understand the purpose, the rules, the regulations and the why, but what I haven’t seen yet, is simple, digestible inputs that businesses can easily follow and implement. Each business will be different and what is appropriate to implement is going to be different, so where should you start?
I was part of a panel in PierConnect in Dun Laoghaire the other day, run by Scale Labs, and I got to highlight some practical tips, that I hope will help businesses get moving and get prepared for GDPR. Be under no illusion, this is not Y2K, as many people I’ve spoken to, appear to think. This is real. This is coming. May 25th is the date to have seared and networked to all of our diaries.
For me, three words are key to understanding GDPR: Consent | Transparency | Security. Every time I learn more about the topic, I filter the information and put it underneath one of these three pillars. For me, anyway, it helps me understand what’s appropriate to my business and it also makes the information flow more manageable and less overwhelming.
So, with that, I thought I’d work on a series of blogs on GDPR in the workplace, to outline steps for all businesses to consider. So I’m going to start with Physical Workplace Security. It’s really important to remember that GDPR compliance involves both our offline and online protocols and workflow processes.
Here are a few things that you need to ensure are in place in your business as part of your internal GDPR audit process:
- Ensure all your devices are encrypted and password protected. If you don’t have an IT company, engage one today. This applies to any device that you use for work, be it company provided or BYOD (Bring Your Own Device). So, it’s PCs, desktops, laptops, phones, tablets, phablets – you name it – if it’s connected to your work in any way and connected to the internet, get it locked down.
- Consider if you work in an open plan, shared workspace or your own office. Consider how people can see your computer. Invest in a computer screen filter that further protects your privacy, as it deflects the light.
- Encourage a clean desk policy. Don’t have unnecessary paper on your desk and certainly do not have anything with any personal information in it there. Having anything with confidential, proprietary, sensitive, financial information on your desk is a clear security risk.
- Invest in a cross cut shredder. There are a lot of different types of shredders out there, but if you are dealing in sensitive information, then you need the most security orientated shredder on the market. Check out the safesandshredders.ie website for options.
- We are all guilty of putting our new passwords on a post-it note and sticking it to a noticeboard beside the desk or onto the side of our laptop screen! Well no more. You have got to create a password retention policy for you and your staff. Talk to your IT company and work out a strategy for this.
- Have a lockable cabinet by your desk and put your personal items in it. This includes keys, wallets, phones etc. When you walk away, lock the cabinet or drawers and bring the key with you. There isn’t a lot of point locking it and then leaving the key in the lock, now is there?
- And lastly for the physical tips, look at your USB sticks (thumb drives) and the policies you put in place for their use in the office. Firstly, ensure they are, or the documents saved on them, are password protected. Do not leave them lying around in the office or on desks. It’s too easy to misplace them and just think of all the company presentations, budget, sensitive and confidential information that’s on them and then think about all the random people that walk into your office on any given day; the postman, the courier, the cleaner, suppliers, clients – anyone could lift the USB stick or indeed any of the paper or personal effects that are listed in the points above. Or you’re sitting in a café and leave it behind, what then? Play out the scenarios and work backwards to create a policy that will work for your company.
These are just a few tips to help with your office security hygiene protocols. Training staff around GDPR policies is a key winning point in managing the risk and mitigating it. By documenting how you do things, by engaging in the right partners to help your business, bit by bit you can become compliant. But remember, you will only be compliant if you know what the processes are and rigidly stick to them. You could be compliant one day and not the next, so it’s a continuous work in progress. A lot of what is mentioned above is relatively easy to implement; it may be financially painful, in some instances, but it’s necessary. Finally, a note to say that this is not legal guidance, but general guidance to help you on your business on its compliance journey.