Digital security is a relatively recent problem, and companies are having to take practical steps to make sure the data they hold on their clients and customers are held in a secure, responsible way.
For certain sectors, in particular, those such as health and law, the data held on clients can be particularly sensitive, and the firms that are storing sensitive data about their customers have a responsibility to store it in a way that is free of prying eyes. In a context where many companies are using cloud computing to store their documents, particular care must be taken to ensure that it follows the relevant rules and best practices to avoid information leaks.
Confidentiality is key to a client’s trust (and, often, compliance with the law), so having clear guidelines in place that control how people access documents will help to reassure your stakeholders, as well as avoiding breaking any of the relevant rules and regulations that apply to this sector. Controlling how your staff access files, folders and software, how they go about mobile working, and how they transmit data from person to person are all areas that should have guidelines in place.
Handing over your personal data to anyone has always involved a certain degree of trust and there has long been the potential for that trust to be misplaced.
Data is increasingly stored in cloud systems, the provision of which is often outsourced to specialised companies. This can actually be a real positive from an IT security perspective since few SMEs are likely to have the same sort of level of expertise in this area as dedicated cloud service providers – but only if SMEs use the right sort of cloud providers, namely ones which understand and comply with all relevant laws.
GDPR governs the collection, processing and storage of data, which, in many cases, is outsourced. This means that not only do companies need to ensure that their own internal systems are GDPR-compliant, they also need to ensure that any third-party vendors they use also operate in compliance with GDPR, regardless of where in the world they are based.
This obviously has the potential to set up a conflict between the EU’s requirements and the requirements of domestic laws in other countries, where governments may have powers to oblige companies to share data with them in a way which would not be permitted under EU law. The EU has created bilateral agreements with some countries to provide adequate protection to their citizens’ data, however, the U.S. is notably absent from this list of countries, which means that any data transferred to a U.S.-based service provider must be protected by “adequate safeguards”.
The EU-US agreement “Privacy Shield” provides a framework for secure, compliant operation, however, U.S.-based companies must sign up to this on an individual basis and self-certify, which means that EU-based companies would need to make a point of checking that any U.S.-based vendor was covered by this scheme.