The Hidden GDPR Compliance Traps in Your Office
Offices deal with huge amounts of data all the time, using a multitude of devices and software platforms. As such, it is sometimes difficult to take every potential security risk into account, many of which can put you at odds with imminent GDPR legislation.
Even if you have taken steps to improve your data security you’d be surprised at what could catch you out. We’ve listed some of the hidden GDPR compliance risks you might not have thought about below. They just might save you from a significant fine.
The visitor book is about to become a victim of good GDPR compliance in the workplace. While it may seem innocuous on the surface, a visitor book is a treasure trove of information to a would-be compiler of ilicit information. It captures important personal data about people but it also builds up a profile of what they’re doing.
This has been an area of concern for businesses who need to protect the information about their visitors, clients or customers such as lawyers and doctor’s surgeries. However it is now a concern for all of us.
Digitising this information using a visitor management system is a crucial step to ensuring that you’re meeting the non-traditional implications of GDPR.
Alongside the visitor book, one of the most common forms of data retention in your average office or reception is the spreadsheet. Old workhorse that it is, the utility of Excel has led to it being a principle area for data capture. Spreadsheets are also a major GDPR concern. You’ll need to make considerations around:
Storing spreadsheets locally is a recipe for trouble. If anyone were to break into the office and walk away with the device, local data is freely available to them. If you secure things on a network drive or in an encrypted, purpose built application there will be built-in fail safes that may protect you should the ICO come knocking.
How they’re viewed
Keeping a Spreadsheet open in full view if you’re working in a public space creates a similar problem to having a visitor book on display. While it may not contain obvious customer data people can see enough in a glimpse to cause issues.
If you send an email containing a spreadsheet, are you sure it’s encrypted? Is there dual factor authorisation turned on for your account? If someone were to brute force their way into your email account or your instant messenger they could freely access spreadsheets containing sensitive information.
Ease of access
The ease with which you can edit a spreadsheet is one of main reasons they are so popular, but it’s also the source of a major security risk. If someone can get hold of your spreadsheet, then can do pretty much anything with it. Almost all applications that deal with data, malicious or not, can import CSV and XLS/XLSLX files.
Avoiding the use of spreadsheets for dealing with data that doesn’t require specific spreadsheet functions will go a long way to ensuring that you don’t fall foul of GDPR.
The right to be forgotten
You may think that Article 17 of GDPR (the right to be forgotten) is as simple as deleting someone’s data from your records but it can go much deeper than that.
For instance, if your company uses marketing automation systems such as Mautic to send out email marketing content to people on your mailing list, under GDPR you are required to give someone the option to opt out of this.
GDPR compliance is not as simple as deleting a person’s data from an entire database, it is also essential that the user is given the right to be forgotten from specific aspects of your records.
People are worried about GDPR because it’s exposing the flaws in processes that they use every day and have begun to take for granted. We all take shortcuts to cut down our workload and improve efficiency, but GDPR introduces a problem with this. Many of these shortcuts were developed or put in place before we had to seriously think about how data is produced, handled, controlled and consumed.
Because of this it is essential that you reevaluate the way in which data is stored within your organisation, taking into account the potential security risks that exist within the systems you currently use to do your job.
If you’d like to learn more about GDPR legislation you can download our in-depth GDPR compliance guide .
Originally published at www.visipoint.net.