Tag Archives: data compliant

GDPR is here – Data Protection is Changing

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.

 

It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

ISO 27001 Certification – who needs it?

It’s becoming an increasingly essential part of due diligence that a data controller, when appointing a data processor, will ask one simple question:  “Do you have ISO 27001 Certification?”  Given that data controllers are the liable parties for any data breaches or lack of compliance, they need to be certain their data is to be processed safely.  So if the answer is “no”, the processor is unlikely to win the contract unless they have some other extraordinary and unique competitive advantage.

I was going to write a blog about why ISO 27001 certification is so important.  Then I thought it would be simpler just to show you.  It’s all about protecting your business from potential breaches.

2014 global breaches infographicFrom the stats above, taken from  the 2014 Year of Mega Breaches and Identity Theft, it’s clear to see:

  • the US is clearly the largest target, but UK has second largest number of breaches
  • retail organisations suffered the greatest volume of data loss in 2014
  • only 4% of data breaches involved encrypted data – an astonishing statistic which tells us:
    • encrypted data is harder to breach
    • given the critical nature of encryption in data protection, the sheer volume of unencrypted data is staggering – too many organisations are simply not taking the most basic of steps to help keep their data secure

ISO 27001 is an international standard for data security management, providing a risk-based approach to data security that involves a data governance standard that is embedded throughout the business covering processes, technology, employees and training.

In the past, obtaining ISO 27001 certification has been a time-consuming, arduous and costly exercise.  Now, however, the whole process of creating the gap analysis, providing robust policies and procedures, and obtaining certification can be made much simpler.

If you’d like to know more about getting ISO 27001 quickly, simply and cost-effectively, please get in touch on 01787 277742 or email victoria@datacompliant.co.uk – we’ll be happy to have a chat and answer your questions

Services at December 2014

Phishing, e-commerce and retail

phishing

Britain is targeted by up to 10,000 cyber attacks per hour, making it a business imperative for organisations to strengthen their data security systems and processes.

Retail and financial services websites are at the highest risk from attack, and Christmas – with a projected online spend of £17.4bn** – is the most popular time of year for cyber criminals.

A Google study from a couple of weeks ago made an astonishing statement:

Phishing stats 45%

This is a particularly worrying statistic given that data security breaches carry a huge cost – both to reputation and financially.

phishing stats Nov 2014

The costs of a breach increase every year, and will inevitably continue to rise as new legislation comes in with greater powers to the ICO.

So it’s time for retailers to make sure their staff don’t fall into the 45% of successful phishing attacks, and understand how to minimise security risks to the business.

Christmas Offer

25% Christmas Discount

Data Compliant  provides data security training workshops for companies who want their employees to understand how to keep their data secure.

2-hour security workshops for up to 10 attendees per session are available from January 5th 2015.  The usual cost is £1,100*.  Within the workshop, we’ll demonstrate how to recognise and avoid phishing attacks.

Any organisation making a firm booking for a data security workshop before 23rd December will receive their 25% discount – ie a reduction in cost from £1,100 to just £825.*

For more information or to book your workshop, call 01787 277742 or email victoria@datacompliant.co.uk

* Stats taken from UK 2014 Information Security Breaches Survey – Department for Business Innovation and Skills

**stats from internetretailing.net

* Costs exclude VAT and expenses.

 

CCTV Data Protection Guidelines from ICO

drone delivering parcelClearly surveillance has both benefits and drawbacks, and the level of public interest and debate about both is increasing. Technology is advancing swiftly, and surveillance cameras are no longer simply passively recording and retaining images. They are now also used proactively to identify people of interest, to keep detailed records of people’s activities both for social (eg schooling, benefits eligibility) and political (eg terrorist) reasons.

There’s a real risk that, despite the benefits, use of CCTV can be very intrusive.

The ICO’s new CCTV code of practice continues its focus on the principles that underpinned the previous code of practice. However, it has been updated to take into account both the changes in the regulatory environment and the opportunities to collect personal data through new technology.

There is some fascinating information in the guidelines – specifically around some of that new technology, where three of the key recommendations are:

  • Privacy Impact Assessments – a requirement that involves ensuring that the use of surveillance systems is proportionate and addresses a pressing need (see the
  • Privacy Notices / Fair processing – a key issue for many of the new technologies is finding creative says of informing individuals that their personal data is being processed – particularly where such processing is simply not obvious.
  • Privacy by design – for example, the ability to turn the recording device (audio and / or sound) on and off as appropriate to fulfil the purpose; the quality must be high enough to fulfil the purpose; the use of devices with vision restricted purely to achieve the purpose

The new technology specifically covered in the guide includes:

Automatic Number Plate Recognition (when to use it, data storage, security issues, sharing the data and informing individuals that their personal data is being processed – something of a challenge needing some creative thinking);

Body Worn Video (warnings against continuous recording without justification; the use of BWV in private dwellings, schools, care homes and the like – and, again, the thorny issue of informing subjects that they are being recorded);

Unmanned Aerial Systems drones are now increasingly used by businesses as well as the military (Amazon has stated its intention to use drones to deliver parcels …). Some of the key issues are privacy intrusions where individuals are unnecessarily recorded when the drone has some other purpose; the distinction between domestic and commercial use; providing justification for their use; the ability to switch the recording system on and off; the whole system of data collection, storage, accessibility, retention periods and disposal requires compliance.

Automated recognition technologies are increasingly used commercially to identify individuals’ faces, the way they walk, how they look at advertising and suchlike. Again, the issues of fair processing, degree of accuracy of images and their identification, storage, retention, transfer, disposal and security are all key to compliance.

If you are using surveillance devices to view or record and / or hold information about individuals, then it’s worth noting that such use is subject not only to the Protection of Freedoms Act (and its Surveillance Camera Code of Practice), and the Data Protection Act, but you also need to consider your obligations under The Freedom of Information Act 2000 and the Human Rights Act 1998.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Surveillance Camera Code of Practice – 12 Principles

security cameraDo you use a surveillance camera system within your organisation?  If so, it’s worth noting that the Surveillance Camera Code of Practice must not only comply with the Data Protection Act and its 8 Principles, but also provides its own 12 guiding principles:

  1. Purpose: Use of a surveillance camera system must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need
  1. Privacy Impact: Use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
  1. Transparency: There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  1. Accountability: There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  1. Policies and procedures: Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
  1. Relevance and Retention: No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
  1. Access to retained images and information should be restricted. There must be clearly defined rules on who may gain access for what purpose; the disclosure of images and information should only take place where it is necessary for such a purpose or for law enforcement purposes
  1. Standards: Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and work to meet and maintain those standards
  1. Security: Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  2. Audit: Effective review and audit mechanisms should be in place to ensure legal requirements, policies and standards are complied with in practice.  Regular reports to be published.
  3. Public Safety: When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  4. Accuracy: Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Smartphone Security

SmartphoneSmartphones are becoming cleverer by the day. I use mine as an address book … to read books … listen to music … search the internet … look at emails … find my husband … use social media … keep track of the news … take pictures … and so much more. I even use it to make and receive calls and texts.

But from a security point of view, smartphones can be leaky, and increasingly it’s down to the user rather than the provider to take responsibility for their own protection. Here is some simple guidance and some references for those who’d like more information:

Smartphones – as important as your wallet and credit / debit cards

Ofcom advises that you treat your smartphone as carefully as your wallet or a bank card, and that’s excellent advice. Losing your smartphone is inconvenient at best and a disaster at worst. There’s the potential expense of any charges that a thief might run up before you report it as lost. And, unless it’s insured, the cost of replacing a smartphone can be horribly expensive.

Not only that, but any confidential information is at risk – your contacts, your emails, even your bank account. And it’s no longer just your own data at risk. If you use your smartphone for business, losing it may have potentially serious implications for you and your company in the event of a data breach.

What to do before you lose your smartphone

  • Set and use a pin or password both on your phone and your SIM for secure access
  • Make sure you know your IMEI number – if you haven’t already done so, just type *#06# into your handset and it should flash up. If not, look behind your phone battery and you’ll find it there. Make a note of it and keep it somewhere safe.
  • Have a look at Immobilisewhere you can register your phone and may then stand some chance of being reunited with it in the event of loss or theft. All UK police forces and various other lost property offices and agencies use it as an online database to trace owners of lost and stolen property.
  • If you are registered with Immobilise, mark your phone as being registered – it just may help deter opportunistic theft
  • Download an app such as findmyiphone or findmyphone. Not only will this help you trace your phone if it is lost or stolen, but it will also allow you to wipe details from it remotely to allow you at least to minimise theft of your data.

How to keep your data safe

  • In the same way that you’d keep your computer data backed up, you should do the same for your smartphone – keep it backed up, either in the cloud or on some other device. That way you stand to lose the minimum amount of data.
  • Keep up-to-date with your operating system – accept updates as they become available as they will include any fixes to security vulnerabilities within the previous software.
  • Use antivirus software to protect your phone from attack by virus or spyware. I use Lookout, but there are various other excellent options.
  • Make sure your apps are only downloaded from trusted sources. Check them out before you download them – read the reviews and check their privacy policies.
  • Keep you apps updated when updates are offered.
  • Bear in mind that a rogue app may allow access and control rights to a hacker who can then make calls, download content, send or intercept messages using your phone without your knowledge. You also run the risk that your smartphone becomes the entry point to other devices to which it may be connected.
  • Check the permissions you grant when you download an app – for example, it may request to use your current location, or to access your photos etc. Make sure that you only provide the data that you require the apps to have, and ideally only provide the information the app needs in order to work.

What to do if you lose your smartphone

  • If you lose your phone, contact your provider and (if you are insured) your insurer immediately.
  • Get your phone blocked – to do this you’ll need to give your provider your phone’s IMEI number, make and model number.

What to do when you get rid of your phone

Before disposing of your smartphone, make sure that you:

  • Erase any apps
  • Erase any data held on it, including media cards
  • Then go into your Settings menu and reset to Factory settings

Above all, smartphones should be treated as the valuable assets they really are, and kept safe to protect both personal and company assets data and assets.

If you have any concerns about your data security in general or your smartphone security specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Data Protection and the ICO

Data privacy

Data Protection Complaints 2013 – 2014

Yesterday I read that the Information Commissioner’s Office handled 259,903 calls to its helpline and has resolved 15,492 data protection complaints last year. This is an increase of 10% over the previous year.  And here’s another staggering figure – the ICO received 161,720 reports from people about spam texts and nuisance calls.

Half the total complaints received related to “subject access”, with a range of organisations about whom complaints were made, including lenders, local government, educational providers and local health providers.

The importance of data protection in business

Organisations and businesses can no longer ignore the importance of data protection governance, compliance and security – they now have no choice but to understand and meet their regulatory requirements to avoid the penalties of non-compliance.  Last year’s attitude to and handling of ‘subject access requests’ is a perfect illustration of the current complacency seen among some data users.

The sheer volume of personal data being collected physically and digitally every day is multiplying at an extraordinary rate and organisations are continuing to find ever more complicated ways of using data.  Use of big data continues to develop with organisations trying to navigate their way through woefully outdated legislation.

The importance of the ICO

As a result, the data protection challenges to business, the consumer and the ICO are spiralling. It’s increasingly important for the data subject to know that a strong, independent body – which means the ICO – can be trusted to keep watch and offer protection.

With this increase in volume and demand, it’s hardly surprising that the ICO is calling for greater powers, greater independence, and additional funding.

Funding is a particularly difficult area as the EU data protection reforms currently propose the removal of the notification requirement and accompanying fees that fund the ICO’s DPA work. Lack of funding will inevitably give rise to cuts in the services provided by the ICO – for example, it has no legal obligation to provide a helpline, and reduced funding makes it unlikely to be able to continue to handle its current – let alone future – volumes of calls a year.

So it’s absolutely vital not only to individuals but also to businesses, organisations, government and the ICO itself that necessary resource, funding, independence and evolving powers are provided to allow the Information Commissioner to continue to protect, update and enforce data protection legislation.

ICO’s internal data security breach

However, it is somewhat unfortunate that at the time the ICO is asking for greater funding, independence and stronger powers, they are also admitting to their own “non-trivial” data breach. The incident was treated as a self-reported breach and was apparently investigated and treated no differently from similar incidents reported to the ICO by others. After an internal investigation the ICO concluded that the likelihood of damage or distress to any affected data subjects was low, and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.

However, later information suggests that this breach is now linked to a criminal investigation. So the breach investigation has not, seemingly, been closed.

Data Compliant

Services

If you have any concerns over data protection compliance or security, don’t hesitate to get in touch – call 01787 277742 or email victoria@datacompliant.co.uk