By Dr Kerry Beynon
By “data” I mean intellectual property, commercially sensitive data and personal data. The chances are that you also have in place IT systems to manage your data. Perhaps you outsource your IT function, or perhaps you are fortunate enough to have an in-house team of IT gurus that take care of things for you. You may have “IT” noted on your risk register and have considered some kind of insurance, but how often do you properly review, test and challenge your systems and disaster recovery plan for preventing and dealing with information security breaches?
It is important to keep in mind that one of the themes of GDPR is “proportionality” – everything must be proportionate to the risk of harm that may be suffered by individuals. However, for something to be proportionate, it has to be “considered”. This means that a one size fits all approach is not suitable if you want to work towards compliance with the GDPR.
• Consider the personal data that your organisation holds and review whether your IT infrastructure is likely to provide adequate protection
• Always keep your systems up to date (but make sure that when you are clicking a link to update software, that link is genuine!)
• Test and challenge your disaster recovery plan – if you are subject to a ransomware attack, how will you retrieve your data and how quickly can you get your business up and running again? Where are your weak points, how can you fix them?
• Consider Cyber Essentials Plus – whilst obtaining Cyber Essentials Plus is not a guarantee of compliance with GDPR, it will certainly help to show that you have considered the risks and have tried to take appropriate steps.
Kerry specialises in data protection, IT/IP and commercial law. Before entering legal practice, she taught IP and contract law at Swansea University and worked for an award-winning project aimed at protecting the IP rights of small to medium sized enterprises. A member of the Chartered Institute of Arbitrators, Kerry is also a solicitor-advocate with higher rights of audience in both the civil and criminal courts. Kerry has passed the Certified EU General Data Protection Regulation Practitioner qualification awarded by IBITGQ and accredited to ISO 17024.