Anna Dick, CTO of online recruitment marketplace Hiring Hub, answers your questions and gives us her experience on the world of data protection, post-GDPR.
It’s more important now than ever before as we are so much more ’digitally connected’. The internet is one of the greatest contributors to how much personal information we now give out, social media culture actively encourages people to casually share their PII (Personal Identifiable Information) online. If this data gets in the wrong hands, it can be used to cause a lot of damage to those individuals.
Confidentiality, integrity and availability of information are the three key ways data security should be viewed.
At Hiring Hub, the first thing we did was identify where all our PII data was, then discussed whether we really needed it. Deleting a lot of old or unused data really reduced our scope which made things seem less daunting.
For us, there are two key types of threats: external (hacked by an unauthorised user) or internal (data is deleted or altered by an authorised staff member). Both are just as important. As a small company, we use a lot of third-party companies to store and manage our data, so for us it was important to ensure that were fully compliant.
From the staffing angle, we have conducted training, revised contracts and have a solid starter and leaver process.
Keep your business ahead:
Download the UKFast GDPR Toolkit
It depends on what you do. Most public authorities now require one, as do certain types of data processors.
At Hiring Hub we didn’t need a DPO, but we did need someone to take responsibility for this to ensure there was a focus on information security. We now have an Information Security Manager and representatives from all teams meeting regularly to discuss data, assess our risks and continually improve our security processes.
We need to protect our customers’ data. Once we have collected it, we need to ensure it is kept as securely as we can. It doesn’t all need expensive solutions either: once you reduce the scope of the data you keep you can reduce access to that data, making it easier to use some manual processes.
If they didn’t before, they probably do now! One of the great things GDPR has done is get people talking about the complex world of data protection. It’s always been important but it’s sometimes difficult to get it up the list on company agendas or to get a buy-in from senior management.
Personally, we’ve used a lot of the free events, blogs, guides and case studies available online to educate ourselves. Big companies may have engaged with consultants for further advice, but this can be expensive.
It’s important to have everyone in your company understand their responsibilities when dealing with PII. You need to make it as interesting and relevant as you can. We used an interactive presentation and quiz which actually made it fun! All new starters go through this training as well.
I think most business will now have this topic higher up on their agenda and will continue to seek out up-to-date information. Resources such as the Open Web Application Security Project (OWASP) and Information Commissioner’s Office (ICO) continue to be great resources for ongoing education.