GDPR compliance guidance
For GDPR compliance all backups need to be encrypted. If there is a request to remove personal identifiable information it only has to be removed from the live system. Backups are exempt (But you must have a policy which states what happens if the backup is restored and the impacted information is also restored)
Some of the things that will need a written internal policy which impact IT are :
Data policy – where data is stored and who has access to it.
BYOD Policy – (Any Personal devices that can access the work network and data, be they phones/laptops/PC’s, policy should state what they can access and how access is controlled)
Device Acceptable use policy – (How company devices can be used, where and what for)
Password policy’s – (Password complexity and change policy)
Backup Policies – (What’s backed up. To where. Periodic testing and verification of backups)
Software Policy’s – (Acceptable software policies)
Data Protection policy’s – (Encryption etc, where data can be stored, who has access to same)
Change Policy – Who can give authorisation for system changes that would/may impact personal data
Data Breach Policy – What happens if there is a data breach, Who is responsible for notifying the Data commissioner’s office (normally the DPO), What are the investigative policies to follow, etc
Information Removal policy – Who responds to a request to see what information on a person is held by the company, Deletes the data, creates the document trail
And some things that are flagged as important are :
Inventory management of company pc’s & laptops
Company devices should all be encrypted including mobile phones.
USB key management (The company should have an Allowed list of specific encrypted USB keys or all keys blocked fully)
Change Management Authorisation
Data Protection Impact Assessment (DPIA) On any change to the system that could impact data protection (Such as a data migration/Host migration/network upgrade)
Backups – Backups in an encrypted fashion are fine. If you are asked to remove personal information from live system you do so and only have to make a note that the persons data is still in a backup. If the backup is ever restored you then have to clean the persons data from the restore. Backups have to be tested and verified periodically with a test restore/boot etc.
Company mobile phones should be managed to ensure compliance with appropriate company policy’s (Office 365/Intune/MDM)
Software policy/Shadow IT – This works in tandem with the internal software policy, IT should flag if any software that is not on the allowed list is on devices (Such as dropbox\google drive etc)
ERP/CRM software – Does the software\database contain Personally Identifiable Information (name/phone #/email address etc), if so how do you protect that data (password/software updates/admin access