Retention, Policies and Passwords
PAUL MATHER, DIVISIONAL OPERATIONS DIRECTOR SAYS:
I spoke a while back about GDPR legislation and my observations that, at this early stage, a lot of businesses seem to be very focused on the “electronic” aspect of data protection and less so about the physical.
This is perfectly valid but both sides need to be considered and complied with before the regulations are enforced in May 2018. To recap, when thinking about data protection you need to be thinking about both the ‘tangible’ and ‘intangible’ data that you hold. That CRM database of your staff/clients/contacts is indeed very important but so are the payroll files, HR data, insurance forms, share certificates etc. In a recent survey the majority of respondents said that they either didn’t have a retention policy or if they did, they didn’t know the specifics. Furthermore, most thought they had paperwork going back more than 10 years on ex-employees, for example. If this data escaped your control you might be hard pressed to justify why you still had it.
Like most policies, it might seem daunting to create one if you have never had one previously. Usually one can get guidance or sample policies from one of the many suppliers out there, but because in many cases retention (certainly in the context of GDPR), is not explicitly defined there is an element of choice in what you can include. Care must be taken as in many cases, for the typical business, there will be statutory requirements for retention for certain types of data: payroll & certificates of incorporation to give a few examples. Equally, whilst you have choice in some aspects you need to be very careful that your choices are considered in the context of your responsibility as a data controller or processor. Having a retention policy which reads “I’m going to keep applicant/prospect CV’s for 10 years” is unlikely to show compliance with the principles of GDPR and lawful processing.
Again, once you have a policy you need to adhere to it and regularly review it. Do you hold different types of data now? Has legislation changed? Is your policy still relevant? The frequency of such a review will depend very much on the policy in question and it should be clear to the business who is responsible for each aspect of the policy.
Whilst on the subject of policies I’d like to draw your attention to the subject of passwords. Whilst on some level I understand that having separate complex passwords for the many systems we all engage with these days can be frustrating. I am, however, staggered at how obvious a lot of user ID password combinations still are. This is doubly surprising given how prevalent data and cyber security is in the media these days.
A recent survey showed 64% of people have the same user ID/password for more than 3 distinct accounts. In the same survey 22% of people admitted their password was one of 10 listed. That list included “password”, “12345”, “letmein”, “YOURNAME” and “qwerty”. You can guess how many people in the same survey have their easily found email address as their user ID…..
Whilst there are many recommendations for password strength and the more complex the better, a random combination of upper, lowercase, numbers and symbols of at least 8 characters is generally considered to be strong. It is also recommended that passwords be regularly rotated, to further improve your security. There are other methods too, such as multi-factor authentication, which can all add layers of security and again must be balanced against ease of use.
Statistically speaking, some of you reading this should be feeling a little uncomfortable right now. It’s a scary world we live in but we, and to a degree our service providers, need to take some responsibility for our safety. If not, don’t be too surprised to find those extra transactions on your bank statements or your data in the wrong hands.
THE GDPR WEBINAR SERIES - PART 3 RELEASED