General Data Protection Regulation (GDPR) – Data Security Gap Analysis
Personal Data is a highly valuable commodity. It includes any personal information held in any format that can identify a living person. Examples include (but are not limited to) names, addresses, email addresses, dates of birth, family circumstances, bank details, medical records and IP addresses.
The following overview details how Insurance2day Insurance Services Ltd has analysed the present risks that could affect personal data security and acknowledge where improvements could be made / are justified. The Gap analysis is reviewed periodically to ensure that any improvements agreed have been implemented.
Areas of Consideration
Physical Security – this should be appropriate to prevent unauthorised access to personal data
– Has the risk of unauthorised access to our premises been recently reviewed?
– Have the premises ever been broken into or vandalised?
– What additional security measures are in place to prevent unauthorised access to the premises?
– Are the premises protected by:
• An Alarm?
• Door buzzers / keypad entry?
– Are visitors to the premises required to sign in?
– Are visitors adequately monitored when on site?
– Has advice on key security issues in the area been sought?
– Have staff been advised of the risks of poor physical security?
– Do we maintain a clear desk policy?
Governance – It is good practice for senior management to assess the data security risk and put in place appropriate policies, procedures and controls to reduce it.
– Do we have a written data security policy / procedures that are proportionate and relevant to the firm’s day to day business?
– Is there a specific focus on data security within the firm?
– Are all members of staff involved in data security discussions?
– Does the firm benefit from an open and honest culture which encourages staff to report data security concerns?
Recruitment – the firm’s recruitment and staff management processes should give the firm comfort that staff are not susceptible to financial crime.
– Do all Approved Persons complete an annual fitness and propriety declaration?
– Is it feasible to ask junior members of staff to complete a fitness and propriety declaration as it is probable that they will have greater access to customer data than approved persons?
– Does the recruitment process include credit checks and DBS checks on staff with access to personal data?
– Is the firm satisfied that employees have the honesty and integrity to handle customer / personal data?
– Is the firm able to identify changes in employee’s circumstances which might make them more susceptible to financial crime?
Educating Staff – It is important that staff understand the importance and relevance of data security policies and procedures.
– Have staff received training in data security?
– Are staff aware of the General Data Protection Regulation and the principles of data protection?
– Are staff bound by confidentiality procedures?
– Are staff aware that it is an offence to disclose data recklessly or for money?
– Have staff read and been tested on the firm’s customer data security policy / data protection policies?
Systems & Controls – Access to the right IT Systems – the firm’s systems and controls should be appropriate to minimise the risk of data loss or theft.
– What percentage of our IT budget is spent on information security?
– Is data encrypted?
– Are e-mails scanned for confidential data?
– Is the firm aware of the contents of ISO/IEC 27002 which provides information on information security management?
– Is external advice sought regarding Data Security and IT Systems?
Passwords and User Accounts
– Do all employees have their own user name and password?
– Are the passwords strong as defined by www.getsafeonline.org?
– Are staff encouraged to change their passwords regularly?
– Are staff instructed not to share their passwords or write them down?
– Do staff understand the importance of strong passwords?
Taking Customer Data / Personal Data off Site
– Do staff hold personal data on laptops or other portable devices?
– Is it possible to encrypt data held on portable devices?
– If staff do not need USB ports or CD Writers on the computer are they disabled?
– Does the firm have an up to date record of which employee has which laptop or memory stick?
– If staff use home computers is it practical to ascertain how securely personal data is held?
– Has the firm considered the threats posed by increasingly sophisticated and quickly evolving mobile technology?
Backing-up Customer Data / Personal Data
– Is backed up data encrypted / Is it possible to encrypt backed up data?
– Are staff advised of how to hold backed up data securely?
– Does the firm have an agreed and consistent procedure for the back up of data?
– Is it adhered to?
– Do third parties store backed up data?
Internet and e-mail availability
– Has the firm blocked access to web based communication facilities which are not required for business purposes?
Disposal of Data – All personal data should be disposed of in a secure fashion.
– Is all personal data disposed of in a secure fashion?
– Is personal data shredded in house and are procedures adhered to?
– Is personal data disposed of by a specialist secure disposal company?
– Is electronically held personal data disposed of securely?
– Are computers disposed of securely with all data removed from the hard drive or the hard drive destroyed?
Third Party Suppliers – the firm should know their third party suppliers, the security arrangements around any personal data that they hold or have access to and how they vet their staff.
– Does the firm use any of the following:
• Data Disposal firms
• Archiving firms
• Outside IT Administration
• Office Cleaning staff
• Office Security
– Has the firm considered visiting third party suppliers to understand how they will treat personal data / vet staff?
– Has the firm written to third party suppliers asking them specific questions about their compliance with GDPR and how they hold personal data?
Complete the form below for details of our Cyber/GDPR data breach insurance solution
The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.