GDPR makes you responsible for ensuring that the data your business collects, holds and processes is kept safe from cyber attacks. The following are steps you can take right now to help protect your business:
Improving cyber security is like adding locks to your front and back doors. It won’t stop the most determined thief but you can reduce the risk significantly. Take a gradual approach to cyber security and do the easy things first.
Many small businesses use WordPress websites, third-party plugins and relatively low-cost hosting options. It is time to review these.
Firstly, check that you have the latest version of WordPress. Out of data versions leave security holes that cybercriminals can exploit to gain control of your server, data and website(s).
Secondly, check that you have the latest versions of all plugins – or pieces of third-party software – installed and retire any that are no longer supported. The recent discovery that the UK’s Information Commissioner’s Office (ICO) website had been hacked for cypto-mining was a result of a vulnerable third-party plugin.
I would suggest you add a WordPress security plugin such as Wordfence which will monitor your website and plugins.
Lastly, talk to your webhost. Personal data on EU citizens should be processed with the EU unless (say) your US host is a member of an approved international scheme such as Privacy Shield, which ensures that those organisations will adhere to EU standards of data protection. Secondly, you need to know how they protect your business’ personal data sitting on their servers.
Most android phones (over a year old) are no longer receiving security updates and the iPhone 5c and earlier models are now beyond security support. Many tablets which are older than three or four years are also no longer secure.
Under GDPR rules you will be considered negligent if you do not up-date devices which either hold or have access to private data and hence an insecure phone or tablet will risk a fine.
If you have an active newsletter for which subscribers knowingly opted-in and for which unsubscribing is as easy as subscribing, then you can carry on as before. Equally, contacting people or businesses to offer your products and services is acceptable without prior permission if there is legitimate reason for you to offer your skills and the emails were legitimately obtained.
However, you must allow people to opt out of your database or list, and don’t phone anyone who is on the Telephone Preference Service (TPS).
However, if your newsletter list is made up of people who haven’t given you authority to contact them or has been plundered from your LinkedIn contacts, or if you are unsure how or where the data came from, then bin it.
It isn’t just smart phones that need to be retired – all devices, eventually, need to be disconnected from the internet. If you have any computers running XP or Vista, get rid of them as soon as you can. Equally, old customised software that only runs on old machines needs to be replaced.
Lastly, encrypt your business’ personal data. Remember this is for customers, suppliers, staff and applicants too. Your HR data is particularly sensitive.