Top tips to 'spring clean' your data processes and get ready for GDPR
Top tips to 'spring clean' your data processes and get ready for GDPR
We are now firmly in the final countdown until the General Data Protection Regulations (GDPR) come into effect on 25th May. Businesses should be taking this opportunity to ‘spring clean' their data protection processes to meet the requirements of the new laws. 

Here's some top tips to help you get your house in order ready for GDPR:

Remember it's all about the data, not the network

When it comes to GDPR, there's been a lot of focus around network security and how to prevent data breaches. But as important as protecting your network is, it's also about protecting your data – it's called the General Data Protection Regulation, not the General Network Protection Regulation, after all. 

If your data is hacked or leaked – perhaps by a client or an ex-employee who's walked off with a USB stick – you'll need to find it quickly and address the breach before the data spreads further. Therefore, businesses need to make sure that they are continuously looking for their data appearing outside the firewall, and quickly report any breaches. 

Your data may be tucked away in surprising places

The first step to protecting your data is finding out where it is in the first place!

Businesses have a wealth of data at their fingertips – everything from employee information to contact details on suppliers and clients. Whether this information is kept on file somewhere on your own network, stashed on the Cloud, or one of the hundreds of CSV files shared with partners or suppliers over email, you may be surprised just how many places your business actually keeps its data. 

If you haven't already, then start by making a list of every system, file, supplier and partner that might have data about your staff and clients. That includes CRM systems, HR databases, payroll, pensions, email marketing platforms…you'll probably find your data is more widespread than you think.

Indeed, we recently did an audit of our own data and quickly found that there are around 35 partners, systems and places that are storing our data – all outside the network. And we're a small company, so imagine how that's going to be magnified for larger organisations.

Of course, the reality is that the vast majority of this data will probably lie undisturbed for many years until it gets deleted or scrapped – without anyone ever knowing about it. But the more data that is outside your network, the more likely it is that it can be inadvertently left exposed and unprotected.

So, it is critical that you find out exactly where your data is.  And if you don't need it to be there, then delete it.

But what if my data is breached? Where does it go?

Just like any business, cyber-criminals have to market, distribute and sell “goods”. And the go-to place for this exchange is the Dark Web, which is the “hidden” part of the internet, not indexed by conventional search engines like Google or Bing. 

For the vast majority of people, the Dark Web is only dimly understood as a network for illegal activities like the sale of weaponry and drugs, but it is increasingly becoming a marketplace for something much more valuable: your data. This includes employee email addresses, credit card details and company login information. 

The challenge, however, lies in finding your information once it's been stolen.  Unlike a physical burglary, there's no broken window or open door – indeed, if your data does get taken, the chances are that it could take months or years for you to find it – and you may never know.

Enhancing your data tracking

It is vital to keep track of your data by continuously looking out for your data appearing “outside the perimeter,” and quickly addressing any leaks – much like having CCTV or a security guard protecting your office buildings and car park. 

One of the simplest steps you can take to protect your data is to add a few fake entries, which can act as “watermarks”.  Just invent a plausible-sounding person, perhaps register them an email address, and add them to your CRM system, website login or internal client list. That way, if you ever see that person's details being posted online, you know your data may have been compromised – maybe not by you, but by a client or partner who's had access to that data and has inadvertently lost it, or a former member of staff who is using it for their own benefit.

For extra security, businesses can also invest in Dark Web monitoring tools that can detect that data, by continuously monitoring millions of Dark Web pages, as well as the hundreds of dump sites that are being used by cybercriminals. These tools can alert you in real-time when your data is being shared on the dark web. Real-time detection can be a vital tool in your data protection arsenal as, when it comes to the GDPR, you are obliged to report breaches as soon as possible.

With only a couple of months to go until May 25th, the clock is ticking to get your processes right. These simple steps can help you guarantee your compliance with the new regulations.

Contributed by Patrick Martin, cyber-security analyst, RepKnight.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.