Did you know...?
That from May 25th 2018 all businesses are expected to practise a high degree of risk management and financial services firms are expected to have a written and enforced policy on data security. This is known as GDPR. Consideration must be given to areas such as:
- Device security, password protection and erasing if lost.
- Encryption of electronic records.
- Physical security of both computer and paper based records.
- Password protocols and resetting.
- Internet security, virus and spyware protection.
- Email encryption or secure messaging and file sharing.
- Information held online via third party servers.
- Back-up drives.
- Secure document disposal.
- Visibility of computer screens.
- Telephone conversations not in private environments.
- Outsourcing processes to third parties.
- Employees' personal devices.
Privacy by Design and by Default (Article 25) requires data protection to be built into the development of business processes.
Privacy settings must automatically be set at a high level and both technical and procedural measures should be taken by the controller in order to make sure that the processing, throughout the whole processing life-cycle, complies with the regulations. The controller must review the contractual agreements with the processors, such as cloud IT providers, software system providers and outsource service providers.
Controllers should also implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.
A report by the European Union Agency for Network and Information Security discussed what needs to be done to achieve privacy and data protection by default. It specifies that encryption and decryption operations must be carried out locally, not by a remote server, because both keys and data must remain in the power of the data controller for any privacy to be achieved.
The report specifies that outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner (not the cloud service) holds the decryption keys. This is known as 'zero knowledge' encryption.
If you have any further questions or would like us to demonstrate the true value of this to you please don't hesitate to call us on 020 8540 9020 or email us here