Following a lead from a local IT firm, InfoLore arranged to meet a new client to discuss the forthcoming. General Data Protection Regulations (GDPR). After meeting the owner, both parties decided to start with a Cyber Review of the client’s IT system, since this would be of greatest value to them. A wise decision, because a good section of the GDPR is about data protection, and a cyber audit is a strong place to start a Data Protection Audit for the Lincolnshire based company.
The client had been concerned about GDPR and the ramifications on them. They are a small family business, with 6 computers, a successful website and a thriving shop. They do very little marketing and no online marketing at all. Instead, they rely on word of mouth and repeat business. So far, all they had done was update their Website Policy with one supplied to them by their website designer.
What we did for them
We met up again and asked the client questions about their IT Systems, using our Cyber Audit Questionnaire (based around the Cyber Essentials Certification recommended by the Government), plus extra questions that we felt were suitable. These extra questions are the result of our Cyber Reviews on other clients. Additional, relevant questioning helped us gain a further understanding of the client’s needs.
With the Cyber Audit questionnaire complete, we had a general discussion about the further in-depth GDPR Review. This focusses on the whole of the business, the data protection policy documents and the GDPR training. It means another session to complete it, or perhaps two, since there are a lot of questions, in fact, nearly 3 times the number of questions on the Cyber Review.
On assessing the Cyber Review we gave the company a score of 17%. On our traffic light system (patent pending), this means they were in the red. Not good. But expected. (Quote from Jon to go here? – I asked Jon to give his opinion of the client’s IT System, both before we were involved and when completed)
We sent our report to the client and one to their IT support company (the same one who had made the initial introductions). And then the work started.
The client engaged the IT company to review and make suggestions to bring them up to speed with technology and software. The computers were all Windows 7, the software was not cloud based, there were no back up systems in place and anyone could access their data from any computer in the office. The router still operated on the original maker’s settings and was wide open to hacking. There was no security of data at all and yet they were dealing with many customers on a regular basis. No password controls in place either.
After several months we visited the client again. They had engaged the IT Company to update all their hardware, suggest better software, to include the use of the cloud where suitable, and to include comprehensive backup for software not cloud based. They were now ready to revisit the recent Cyber Review.
We asked the same, and more, questions and now received positive results. The clients scored 47% on our traffic light system – still a way to go, but progress, not perfection. They could now evidence up-to-date software; all hardware networked; password controls in place; brand new, suitable software, courtesy of their Accountant ; full IT integration working and full IT support available.
A third visit and a review. They are now at 97%, justifiably delighted with the progress they have made. They feel more comfortable as a business and we (Info Lore) are pleased with the collaboration between the IT company and ourselves. We now have a client much less hackable than they were, running a good efficient IT hardware and software system which is enabling them to get on with the work they wish to do and not worry about their IT.
Our next stage is to start the actual GDPR Review, an intense questioning process to look at every thing they do with the personal data they collect. They have achieved almost 100% on the Cyber Review, but , as yet, only 20% on the GDPR system. Such is the rigour of the new GDPR .