List all assets you use to process personal data
Identify safeguards, vulnerabilities and any likely breaches
Verify if only authorized access is possible at any point of your job
If your organization implemented information security standards, there probably are policies, procedures, risk analysis results and at least an IT team that configures and safeguards most electronic devices. Next to internal solutions, there are some tips I want you to follow to avoid making mistakes.
First, think of assets you use to process personal data in your work. Of locations, equipment, networks, websites, software, digital files and printed documents. Do not forget about staff, as you and your colleagues are also assets who process personal data and can be a source of incident.
Second, think of any past or possible case where data have been unlawfully or accidentally lost, modified, disclosed or accessed. Think of any cases where data had not been available and try to answer why. Go through present safeguards and check how could they be broken. Report any issues.
Third, apply the need to know principle to all assets you control. Make sure only you can view the screen of your devices. Do not leave without locking or signing out and do not leave documents unattended. Do not leave keys in locks or in another drawer. Remember of securing printouts and using shredder. Lock documents and your room when you do not use it. Do not share data with too many recipients. Save data in network locations, so even if you lose device, the data can be retrieved. Make sure to use PINs, passwords and encryption both to drives and network connections. Do not use public Wi-Fi without an encrypted VPN tunnel and do not send files without securing them first. If you want to use private devices for work or use business devices for private purposes, make sure it has been pre-authorized. Apply special precautions when you work remotely. Protect data as if it was your own.
Table of contents:
Self-implement GDPR in 16 steps: