Data best practice


#1

One for maybe the more experienced VAs:
What does good data security look like for VAs?

So our SVA Approved standard is based around if your house burned to the ground, would you be able to recover the data? That’s one small part of data security…

Another big part is how data is stored securely - should it have 2 lots of security on it? Are all your devices automatically locked (phones/tablets/keyboards) when you step away from them? What other steps have you taken to ensure data is stored safely?

How about data coming into your business? Do you ask clients to password protect docs? Send via secure servers with end to end encryption?

We’re trying to come up with some good examples of how to work safely… Fire in!!!


#2

A disaster recovery plan is essential to have in place. If for example your computer has been wiped or there has been a cyber attack, you will need a hard copy of phone numbers, email addresses and processes so you can begin to recover.

Where possible I password protect and/or encrypt all documents that I send to clients when they contain personal data or confidential information, even if I am sending them on a USB stick or CD in the post. I do ask clients to protect their documents when sending them to me too, most of them do now, there are a few that need prompting however.

I have a VPN in place, full professional anti-virus (with a European based company). I also have cyber insurance in place and my Data Protection Registration is always up to date.

I backup with LiveDrive, this backs up my computer constantly with each amendment, it backs up to five seperately located servers based around the UK.

Using a password management system is also importan; I change the password for this on a regular basis.

All my equipment is password protected and nobody in the family is allowed to use my laptop, phone or tablet. I have a facility with my Antivirus provider that wipes my devices if they are stolen too, which is really useful.

Keeping the GDPR audit up to date is important and (try) to keep up to date with all the changes in GDPR as they happen.


#3

I always get a bit paranoid about live back ups - because if my computer gets stuff deleted, it’d wipe the back up too if that remains running!!! For that reason, I’d always want a “roll-back” setting on the backups.

GDPR is such a pain in the butt, but I think the ideas behind it are good - the implementation by ICO is sometimes not great because being a big org, they don’t always understand the impact their ideas will have on the small business. I think generally they are trying to improve this though, which is a positive!


#4

Any good gizmos or things you insist upon in terms of keeping data safe?
Just general basic stuff useful too!


#5

This is very interesting and I am looking forward to seeing the responses.

Slightly different and more just general data protection but I had thought of a shredder, password protect everything , lock screen , drop box and anti virus protection.

I have been a DPO and just little things like if you bring your laptop out into a coffee shop, be mindful of what others can see. You can purchase privacy screen protectors. Try and bring out as little as possible that contains sensitive data. I love the ICO and it does have some useful tips but likewise I do feel it is sometimes too generic and aimed at bigger businesses.
Whilst working at the school, I had to regularly remind people to change their passwords, not make them easy and obvious and to not have the same ones for everything.


#6

Great points here…

Yes, basically ICO are reaching out to various industries and asking them to help develop better guidance for their industry which ICO will share… I know what my data looks like, but there is probably a million things I haven’t considered, because my set up isn’t very typical for a VA and we have some clever kit which does a lot of it for me (most VAs wouldn’t have that luxury as it’s not practical or economically viable for solo VAs).

I wonder if it’s easier if I ask people about how they protect their clients’ work and their own business? (Is that 2 different conversations?)


#7

We have been working on this since 2017 with our VAGDPR groups. Would love to collaborate.

In essence it is not just about kit or set up (though having your kit set up right including wifi is a great start) it is also about understanding how data moves through your business, and where the risk points are and making decisions about how to minimise that risk.

The biggest problem when working with clients is still that clients ignore data privacy/security and not only work in insecure ways but want the VA to ignore it all too as ‘it is too much trouble’.

The biggest problem of real security is the number of platforms (social media in particular, but CPP Panels for websites too) that do not offer multi user options, thus forcing VA and client to share a log in. Even though shared through something like Last Pass (or equivalent) this offers no traceability of who did what if something goes wrong. This means no multi factor authentication most of the time, since this is impossible unless client and VA prebook a time for the VA to have access. This reduces security enormously and increases risk. If a third party gains access noone can trace where the problem came from!.

This further increases risk as the client having done this just wants to share log ons on everything even where additional users are available.

Good practise for VA data handling is always going to have to be a mixture of secure and pragmatic .

I encourage VAs to have business subscriptions (not home or student ones) that usually allow more security and hosting options for their own software/platforms, to encrypt all devices routinely and to enter into a proper data processing agreement with each client that really addresses what needs to be done at both ends.

I encourage using MFA whenever it is available, and password lockers as a matter of routine. And to properly set up wifi so that guests do not have access to other devices on the system (or children) since a big source of viruses etc is the home wifi when accessed by others.

Malware and anti virus of course.


#8

I think you’re right there. Securing our own data is one thing but then our clients is something else :grimacing:


#9

Really interesting points Annabel. IMO clients are the weak point! But that was also the same before GDPR came in with a set of rules for how people had to opt into info, VAs all saying as one “I’m not touching that” was immensely powerful at educating clients, whereas before they’d just go and try and get someone else to do it.

If you were trying to cover best practice in one doc, is it maybe to look at where the data flows then and rules for it? E.g. storage on machine = a, b, c; transferring data into your business = X, Y, Z; backing up = R, S, T etc.


#10

This a great post thank you - and a good reminder too to check everything that we are doing is secure. I don’t really have any more ideas to add unfortunately, but I have found this really helpful so thank you everyone.