Personal Data Security Awareness

Personal Data security, it sounds scary, the reality is that the European Union wants to make sure that companies that collect Personal Data have an awareness of how to make sure they keep that data secure.

What does that mean for the owner of a SCRUMPY website?

As part of the initial training process of any new employee at your company (or as a matter of importance for existing employees) we'd recommend you have some recorded proof of security training. A company should promote good security practices, call out potential issues and generally have an attitude of doing what it can to keep the Personal Data that it stores secure. What that looks like in practice is most likely a spreadsheet with the name and a recorded 'training completed at' date/time, or just a notebook with a page you get people to sign.

Why do I need to be aware of Personal Data security?

GDPR recognises that most Personal Data breaches (where people's data is accessed by someone outside your company) are down to people's access to systems being stolen or unwittingly exploited in a social engineering attack (where someone tricks you into giving them your password) or malware. In simple terms, if your SCRUMPY account is stolen then the malicious individual may have access to all your bookings, guests, subscribers, etc, all of which are classed as Personal Data.

What should be present in a company's security training?

There is no hard ruling saying 'phishing' has to be included or use of anti-virus, but we've put together a list of what we think employees at a company that takes vacation rental bookings should at least be aware of:

  • Awareness of phishing: Holiday property websites are sometimes a target for phishing attacks; phishing is a broad term that generally involves sending emails that appear to be from someone they aren't, e.g. Someone posing as "Your Bank" sending you a link to a website, a "Supplier" you've never heard of sending an invoice for something you've never asked for.

    Resources: 
  • Awareness of password security: Being aware of the danger of sharing passwords, refusing to reveal your password to anyone and realising the risks that come with having a weak password, practice all these and you'll be well on the way to making sure you keep Personal Data secure.

    Resources: 
  • Awareness of what you'd do in the event of a data breach: Mistakes happen, GDPR realises that, but what GDPR makes important is notifying the authorities and the affected customers. GDPR is trying to get rid of the days where data being stolen becomes a back page story 6 months after the incident, it wants data security issues to be newspaper headlines as a means of forcing people to take security seriously. The company should be aware of its obligations under law, namely to notify the authorities within 72 hours, and the company should have a plan in place to be able to contact customers. If you believe your business may have been the subject of a data breach please contact us immediately and we will assist where possible.

    Resources:
  • Awareness of GDPR: The GDPR articles state that decision makers in your company should be aware of GDPR and how to stay within the laws it sets out; in reality this just means management realising what they can and cannot do under GDPR by having a basic level of understanding: keep data secure, state what you do with it, state who you share it with.

    Resources:

What should this training look like?

It completely depends on the size of your company; if you have 5+ employees it might be worth putting together a document with links to resources and keeping track of this in a spreadsheet or notepad. If you're smaller then perhaps a fairly short conversation about security will be enough, again try and record the date you and the individual completed the training. If you're an individual operating on your own then just brushing up on internet & data security ensuring you cover some of the topics we've suggested and then just putting a date in the diary saying "I brushed up on security on this date" would most likely show to a court that you have thought about Personal Data security.


Please note: These pages serve as advice and as such we cannot be held responsible for any damages occurring as a result of practicing any of the advice given.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us