One of the requirements of GDPR is that data is kept securely. Whilst this has always been good practice it is now mandated by the regulations. And it is of course essential to keep your personal online accounts and banking details secure.
There are 3 main places data is kept:
- On paper
- On a local computer or mobile device
- On a cloud server
There is all sorts of advice circulating on how to keep data secure, and some of it seems to be way over the top in comparison to the value of the information. We can’t be complacent but we don’t need to be paranoid. Clearly you would need to be more careful with sensitive information (e.g. financial or medical). Please note, this is not legal advice, only opinion.
If these are kept at home then in general they only need to be kept out of sight. Most people would consider their homes to be secure – do you keep your purse in a locked cabinet? If you have a lodger it might be wise to lock things away. Ultimately you are responsible for the security of data kept there and you know the people you share your home with.
If records are kept in a more public space such as a church then clearly they should be kept in a place which has restricted access, e.g. a locked filing cabinet or an office to which only authorised people have access.
Don’t leave paper copies lying around! This is easily done with frequently referenced documents like a directory of members’ addresses and phone numbers.
Computers and mobiles
These can hold a great deal of information in a very small space, and if you know where to find it you can steal everything very quickly. There are obvious safeguards you can put in place:
- Always use a password, PIN or biometric lock on your device, particularly on mobile devices. These are easily lost or stolen and if unprotected then all the information stored on them is instantly available.
- If your computer is shared with other family members then you need to take additional measures. This could be by having separate logins and storing the data in your personal area that cannot be seen by others when they are logged in. Or you can encrypt the individual files so that they require a password to open.
All these only work if you use them properly – close encrypted files when you are not using them, lock or logout of the computer when you leave it, make sure your mobile is locked when you are not using it.
There are at least 3 categories of cloud storage:
- Google Docs/Office 365 operates on documents stored in the cloud using a web browser. There is no local copy of the file on your device, so you have to be logged in to the service to see the data. As long as your login is secure and direct downloads are disabled, this is a good way of preventing others from accessing the data. However, be aware that mobile devices in particular tend to leave you logged in permanently so if your phone is lost or stolen then anyone gaining access to it could also access your files. (This is true of Google Groups as well as other Google Apps). One way round this is to use a separate account which is not synced on your phone.
- Dropbox/Google Drive/OneDrive are file sync systems. They copy data on your local device to cloud storage and replicate any changes across multiple devices that you have linked to the same account. This is great for multiple access but since the files are also present locally you have to ensure that both local and cloud storage is secure.
- MailChimp and similar email marketing platforms have a list of subscribers which exists only online. Unless you have an app to access those lists on your phone, which generally you don’t need, then the only way to access your data is to login to your account, making it much more secure.
General advice on passwords
It goes without saying that you should use strong passwords to protect your data. However the advice on what constitutes a good password has changed over the years. Changing your passwords frequently and using numbers to replace letters is no longer recommended, although a lot of websites still enforce this.
Don’t use the name of your house/boat/child/dog as a password as these are very easily guessed. And especially don’t use ‘password’ or ‘password1’!
If your password is difficult to type because you are trying to remember where you changed ‘E’ to ‘3’ then you are forced to type slowly and someone watching you can more easily see what you are doing. These letter substitutions are no longer recommended because password attacks will routinely try those anyway.
The best indicator of password strength is not how difficult it is to type or remember but simply the length. If you take 3 or 4 unrelated words and string them together you have a password that is easy to remember, hard to guess and because it is long, hard for a machine to crack by trying every possible letter combination. It doesn’t have to mean anything, so you could use something like ‘antelopelaundryfakir’ or ‘greentulipcurtainride’. But don’t use those particular ones!
Don’t use the same password for everything. If you do and your password is compromised for one site then it will be compromised for many sites. Having unique passwords is fine if you only have a few passwords, but most of us have so many to remember that it becomes impossible. The best way round this is to use a password manager. You have a master password to access it, which should of course be very long and un-guessable (and memorable to you), and you store the passwords for individual sites and services in there. Because you need only remember one master password, the passwords for other sites can be generated automatically as long random sequences of letters and numbers. I still use passwords I can remember and type, for sites I use often.
There are many password managers available, some free and some requiring a monthly subscription. Be sure to use a well known and well reviewed one and download it from the company’s main website, not from a 3rd party download site.
Two Factor Authentication (2FA)
This is an additional layer of security you can set up on some online logins. It is a good idea to use this for your most sensitive data, such as banking data. As well as knowing a password you also have to be in possession of a physical thing, usually a mobile device. This means that anyone pretending to be you has not only to know your secret password but also have access to your phone.
When you login to a site a message is sent to your mobile with a code, which you then have to type into the website. There is often an option to save known devices like your laptop so you don’t have to keep entering the second factor.