The GDPR IT Checklist
Make sure that you understand the GDPR basics, what data falls under GDPR, what types of data are categorised as sensitive data?
In preparation for GDPR you may find it useful to identify and classify all the personal data that you are working with and then to document the appropriate technical security measures that you are putting in place to protect the data.
In-depth GDPR Training is available from the Information Compliance Office.
Make sure that the computing devices that you are using to store, and process personal data are safe and secure.
Your computers, laptops, tablets and phones should all be:
- Running the latest most secure versions of software available
- Protected by anti-virus software
- Protected from loss and theft by encryption software
- Protected from unauthorised access by strong passwords
- Mobile devices should be protected by strong access codes and encryption
- Disposed of safely at the end of their useful life.
If you are not sure of the security status of a device then you should exercise caution and should not access or store University data on that device.
Public access computing devices such as computers in Internet Cafés should never be used to access University data or services due to the high risk of data breach resulting from such untrusted devices.
All University data should be stored securely in the most appropriate service with adequate data backup services.
IT Services encourages staff to use OneDrive rather than Public Cloud services such as Dropbox or Google Drive which may not be GDPR compliant.
In OneDrive all of your data will be securely hosted by Microsoft in Europe in compliance with the GDPR.
Staff should note however that OneDrive does not replace the requirement for information systems or databases to store large datasets and may not be suitable for the large-scale storage of critically sensitive data such as Medical data.
Personal data and particularly sensitive personal data should always be transferred securely.
Where data is being transferred by email or on removable media such as USB drives the data should be encrypted.
Where data is being transferred using an Internet Service such as Microsoft OneDrive care should be taken to ensure that the data has been shared with the correct person or organisation.
Data should not be transferred over public wireless networks such as those in a coffee shop or airport without the use of a Virtual Private Network (VPN) to ensure that the data cannot be intercepted.
Staff should configure their Wi-Fi settings so that your computer asks permission to join a new wireless network. If you are not using a VPN then do not use public Wi-Fi to access University Information.
Every time you turn on your computer, open an email attachment, click on an unfamiliar link while browsing the Internet you could be putting yourself and your information at risk.
Don’t store your passwords in your browser. This may seem like a handy feature however this means that all your passwords are stored in one location on your computer, this might make it easier for someone to obtain them if your computer is compromised.
Make sure your Browser is up-to-date - Whether you use Chrome, Safari, Firefox or Microsoft Edge, make sure you are running the latest version.
Be aware of scams and fraud such as phishing which could result in someone getting access to your email inbox or data files.
When you engage a new IT partner company to provide a product or service where the partner will be storing or processing personal data on the University's behalf it is important to assess the standard of IT Security controls that the partner has in place to ensure that all University data will be properly protected.
This can be done by reviewing the IT Security and privacy measures or certifications the provider has in place.
IT Service providers can demonstrate compliance with security and Privacy by Design in several ways:
- By providing a completed Data Protection Impact Assessment
- By providing evidence of ISO 27001 Certification
If you are unsure of whether a proposed partner or service is appropriate for University data you should consult with IT Services.
If you are developing or acquiring a new system that involves processing large volumes of personal data or sensitive personal data you may need to complete a Data Protection Impact assessment.
The purpose of a Data Protection Impact Assessment is to determine that privacy and security are adequately embedded into new systems. From an IT Security perspective, this involves building information security into any new systems processing personal data and Identifying any critical or sensitive data and applying appropriate security measures.
Again If you are unsure of whether a proposed system or service is appropriate for University data you should consult with IT services who can assist you in ascertaining the level of Security controls in place on a proposed system.