GDPR for Psychotherapists - Technical issues; recommended actions
/One in a series
This is one in a series of interconnected blogs about applying the GDPR(2016) law for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context and give background.
No affiliation
I do not get paid for, or get any other consideration, and don't have any affiliate arrangements with the organisations, companies or individuals I mention or their products or services. I do use many of the software applications I mention, but receive no discount or anything for mentioning them.
Action summary
This is again a summary for those who don't want to research, evaluate, think for themselves, but who want to act as quickly as possible, and have a set of things to do that they can just get on with. Be warned - you are still responsible for what you do!
I have tried to give one-shot recommendations that are effective and as cheap as possible. A few times I give a paid and a free option. In those cases, there is always a reason for it - the free option is less convenient to use; the paid one is easier to use. Both are security-wise effective.
In common for all Operating Systems
- If you want to use your computer or mobile in any public place with Wifi, use a paid VPN. E.g. ExpressVPN, mullvad, azirevpn.
- Use strong passwords for anything, and for any sensitive applications, use 2FA. Never share a password or use it for more than one meaningful application. Install and use a password manager, paid 1Password, paid Bitwarden, or KeePassXC for free.
- Backup and possibly sync to an encrypted cloud system, perhaps pCloud with pCloud Crypto. Backblaze is also a popular, technically robust and easy-to-use option. It is possibly slightly less secure than pcloud.
Inform your clients that most email is inherently insecure, and that (under the new laws) you are not prepared to have email communication with them that is not properly secure and protected. Give them the choice either not to use email at all, or to install a fully encrypted secure email system that matches yours. Number one choice: ProtonMail; tutanota is a good alternative. Both are paid, but with a limited package (probably big enough for clients) which is free.
Messaging apps
Use wire or Signal. Do not accept SMS, not even for appointments. Tell your clients that for messaging they must install wire or Signal (or specify the app you want).
For Mac users
- Use all the security options offered to the maximum; keep your Operating System, browsers and major software always updated with the latest updates
- Use FileVault to encrypt the internal disk or SSD drive. Enable the encryption option on Time Machine, and let it permanently back up to your external backup disk.
For Windows users
- Use all security options offered to the maximum; keep your Operating System, browsers and major software always updated with the latest updates.
- Use full-disk-encryption to encrypt your internal hard drive or SSD, and your external backup drive. Do this with BitLocker - a paid-for Windows product; or Veracrypt - free and open source, but technically more challenging to use.
- Set the internal automatic Windows backup to back up to your local external encrypted hard drive or SSD.
Vitally important - passwords - once again!
No security is possible without passwords.
- Use a password manager. If you are able to remember your passwords, they cannot be strong enough.
- Only use strong passwords. Minimum 15 characters, totally random. Don't use normal English words or words / numbers related to yourself.
- Never use passwords more than once (except possibly for some unimportant logins, where it really does not matter).
- Never share passwords with anyone.
- Never keep passwords in unencrypted or unhashed form on your computer.