July 18, 2017

GDPR Guidance: How to Identify Security Risks and Better Protect Confidential Data

Many security experts say rights protection has not kept up with the implementation of new technologies and as a result, personal information is more at risk than ever.

The new General Data Protection Regulation (GDPR) will address the issue in different ways, including a Data Protection Impact Assessment (DPIA) requirement in the workplace in certain circumstances. The GDPR will supersede the Data Protection Act in the UK, and it comes into effect next May. But it will also apply to all companies, anywhere in the world, that process information about EU citizens.

According to GDPR guidance papers, in certain circumstances, including when a company is going to be handling personal data using new technologies, the GDPR will require a Data Protection Impact Assessment (DPIA).

A DPIA will assess security risks involved in processing data. This risk assessment process will analyse how proposed uses of personal information might create security risks and then suggest ways to mitigate the risks.

A systematic process is recommended because not only will it better protect data but it will document the entire process showing legislators as well as the workforce, business partners, and customers that the company is committed to information security. This may help reduce liability, negative publicity and damage to reputation. 

Best practice steps to take when assessing security risks of personal information in the workplace

Step 1: Early on in a project determine if there is a legal obligation to carry out a formal Data Protection Impact Assessment. Some examples of when one is needed include a new project involving the use of personal data, new IT systems that store and access personal information, and data sharing with another company. 

Step 2: Identify what data management processes will be required and map out how the personal data, in digital or paper format, will be transmitted, routed, and stored throughout its lifetime. Create an actual diagram that shows how the information flows through the organisation.

Step 3: Identify and evaluate all the potential security risks in the workflow. What are the high risk areas for a data breach? Who are the potential attackers and their motives?

Step 4: Make recommendations on how to mitigate each risk at each step. Document safeguards and how they will protect confidential information from inappropriate disclosure.

Step 5: Implement safeguards to protect confidential and personal data against unlawful processing and disclosure, examples include:

  • IT controls including authentication processes, encryption, security software, access controls and others;
  • Comprehensive policies and procedures for document management and retention;
  • Ongoing training to educate employees about appropriate handling and protection of sensitive data (the protection of data in all forms must be prioritised in and out of the workplace);
  • Embedded workplace procedures such as a Clean Desk Policy and a Shred-it all Policy;
  • Partnering with a document destruction expert for secure disposal of confidential information (secure shredding of paper documents and hard drives and electronic media).

Learn more about the GDPR and how it will affect your business with our downloadable whitepaper.

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and data security survey.