How can we make sure that the data we process is properly secured?

Your organisational action plan to secure the data you have will depend on a wide range of factors: for example the types of data you store, how sensitive it is, how much you have, how complex your digital infrastructure is, and whether you have in-house digital security knowledge or choose to outsource. At minimum, however, you should take the following steps:

  • List what personal data you hold and map out where you store this data.

  • Do a risk assessment, pinpointing the most likely sources of unauthorised access/leaks.

  • Implement a data protection action plan that builds on your risk assessment, which includes: data minimisation (collect, process and store only the data you absolutely need); access control (limit who has access to personal data); storage security (where do you store personal and/or sensitive data? Is it stored separately from non-personal/non-sensitive data? Is it stored encrypted?); staff digital hygiene; and a data retention, archiving and deletion policy.

  • Test the security of systems that store personal data (servers, email, archives etc.).

  • Write down all the actions you have taken to protect the personal data you have.

  • Set up and test a data breach action plan, which should include roles and responsibilities, reporting to the DPA, and so on.

  • Put together a plan for periodically revisiting these steps.

Do you need to run HTTPS to be GDPR compliant? No, it is not mandatory to implement HTTPS on your website, but it is good practice (recommended by Data Protection Authorities). For more information about HTTPS visit Lets Encrypt.