who is responsible for GDPR

Who Is Responsible For GDPR?

00Business Risk, Cyber Security, GDPR, Supply Chain Risk

Just who is responsible for GDPR in a company?… Everyone starting at board level down…

GDPR In The Press

There was a flurry of press coverage, interviews, radio and TV coverage recently as the ICO began their campaign to make businesses and other organisations aware that there is now less than 200 working days until the EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.

But here at Risk Evolves HQ we sighed with frustration and gnashed our teeth that the wonderful BBC continue to report this as a technology story.

Once more the responsibility for all things data related is expected to fall on the shoulders of the much maligned IT Department / Provider. As we have highlighted previously, the entire organisation has a responsibility.

Who Will Be Affected By GDPR?

The EU GDPR will touch every aspect of the organisation and it is important that organisations begin to work on a strategy now. And we very deliberately say ‘organisation’ as the new laws apply to all organisations – commercial, public sector, charities, not for profit, education, SME’s, sole traders – you name it, it is likely to affect you. In brief, anyone who collects and processes data, regardless of organisations sector and size. And regardless of whether it’s digital (ie. on a computer) or on paper.

The EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.

The golden rule – if you have data that can identify an individual, then the data is personal. This could be through name, address, IP address, finger print etc. Personal information needs to be treated and respected in the same way as any other company asset. With care and respect, protecting it from damage or theft.

 

Why is GDPR more than just an IT Manager’s Issue?

  • Human Resources / Personnel : they should manage starters and leavers to the organisation, ensuring that new starter information is correctly managed, that employment contracts and induction programmes  make individuals aware of their responsibility to manage data as an asset. They may need to gain consent from the individual for DBS checks, DVLA checks and gain authorisation to process data for payroll, reassuring them that it will not be misused. If you provide information to pension providers, or companies that provide health care benefits, are their systems secure ? What are they doing as data processors to protect individuals information?
  • Training : the on-going education and training of staff to ensure that they understand how data can and cannot be managed. This needs to include information on what to do if they think that they have lost data
  • Procurement : they should ensure that any 3rd parties who may be used to process data follow the same ethos, that the data is protected, not shared with others, and that only the information that is required is passed to them. Equally, if they lose data, suffer a ransomware attack or suspect that their systems have been compromised,, how will this be communicated to you as the data controller ? And if you have outsourced your IT, does the provider have the correct processes and systems in place to manage your data securely ?
  • Legal : are the contracts that are in place with Customers and suppliers robust enough in the new era ?
  • Marketing : similar to the current legislation, marketing has to change to ensure that customers who have positively opted in to mail (both online and postal) campaigns receive emails,
  • Security : is the office and other premises secure ? How is physical data (ie. paper, old laptops etc) destroyed ?

…. The list goes on ..

Management NEED To Take Ownership Of GDPR

However, absolutely key, the management team need to demonstrate to customers and employees that they are serious about the new legislation by taking ownership for ensuring the resources are available to support. This responsibility cannot be abdicated, and in some instances, they will need to assign the role of  Data Protection Officer to an individual who can join them at Board level.

This is clearly not solely a technology challenge !  It is possible to avoid the over reported threat of fines by taking some straight forward and pragmatic steps now.

We understand that these changes all sound daunting, regardless of the size, sector or turnover of your organisation. However, help is at hand. Contact us to find out how the new legislation and regulations apply to your organisation, and for information on our no nonsense approach to becoming compliant.

Contact Us Now

 

NHS ransomware

NHS Cyber Attack

10Cyber Attack, Cyber Security, Latest news, Ransomware

What is the NHS Cyber Attack?

Today (12th May 2017) news broke of a massive NHS Cyber Attack that has had catastrophic impact on our NHS, leading to a major incident being declared.

Operations have been delayed or cancelled, patients have delayed being discharged from or admitted to hospital, prescriptions have not been issued, A&E has been disrupted … the impact of the NHS cyber attacks continue and sadly there is a real risk that lives may be jeopardised.

Was the NHS Cyber Attack targeted?

According to the BBC News, the attack does not appear to have been limited to the UK with 70+ other countries impacted. A major ransomware attack has unfolded, impacting thousands of users.

More info

Complying To GDPR

What Are The Consequences Of Not Complying To GDPR?

00Business Risk, Cyber Attack, Cyber Security, Data breach, GDPR, IASME, ISO27001, Latest news, Risk Education, Risk Management

So what are the consequences of not complying to the EU General Data Protection Regulations ?

I recently wrote a blog ‘What is GDPR and why do you need it?’ to highlight the real meaning behind why data protection is changing.

What Are The Consequences Of Not Complying To The GDPR?

The UK Government and Information Commissioners Office (ICO) have declared that no new legislation will be introduced to cover the growing threat of cybercrime as this is a business owner responsibility to address.

What they will enforce though is legislation about the use of data… If data is protected then at least any cyber-attacks will mean that personal data is (or should be) protected and safe.

What Are The GDPR Fines Or Punishment?

So the focus is on the GDPR and the penalties for non-compliance are eye watering

  • Infringement of Articles 5, 6, 7 and 9 carries a penalty fine of up to €20M or up to 4% of total global revenue of the preceding year, whichever is greater.
  • Infringement of Articles 8,11, 25-39, 42 and 43 carries a penalty fine of up to €10M or up to 2% of total global revenue of the preceding year, whichever is greater

In summary, we know that the GDPR is coming, that it will become law in May 2018, that it is important, that it should not be ignored and that there will be some pain if we fall short.

You need to comply to the GDPR so the question is…

More info

GDPR the new legislation

What is GDPR and why do you need it?

00Business Risk, Cyber Security, Data breach, GDPR

Why Do We Need the EU GDPR?

The European Union General Data Protection Regulations (or EU GDPR for short) is the update to the current UK Data Protection Act. It will impact all business and how we deal with data online.

Current Data Protection legislation was launched in 1998 and has improved the way businesses control our personal or sensitive data.

Increasingly if you are like me, you find yourself questioning on a daily basis, why more and more people are able to gain my details and send me junk mail and spam, or monitor my activity on websites.

How is this possible if I have ticked the TPA exclusion boxes or put exclusions on my BT line?

The fact is that data protection requirements were written for a different time, so what was a compliant use and retention of data is now not fit for purpose.

Perhaps the legislation was not unreasonable in 1998…….

Where were you 20 years ago? You may have had a computer with a floppy disk and a processor far less powerful that a mobile device today.

I still have my BBC commodore so can quickly prove this to be true!!

  • There was also no Facebook no Google, no Twitter, Instagram to name a few.
  • An iPad didn’t exist, a tablet was still something prescribed by your doctor.
  • Robotics amounted to watching K-9 on Dr Who!

In fact, everything was different … including control and access to data.

Bring the clock forward to a far more technologically advanced world…

More info

Cyber Security For Small Business

Small Business Cyber Security

00Cyber Security, Featured news, Supply Chain Risk

There is a dangerous trend emerging in small business cyber security…

So many SMEs like you are working in the belief that “it won’t happen to me..”

But we enter into 2017 you cannot get away from the continued warnings about cyber risk and cyber threats, the amount of information is frightening.

Are you carrying on with known or unknown weaknesses in your businesses systems and processes?

If you know the weaknesses then you only have yourself to blame, but the scariest problem is the weaknesses you don’t know that make you vulnerable to a cyber attack.

The Landscape of Small Business Cyber Security

The landscape for cyber threat is rapidly changing as is the nature of a cyber criminal too.

No longer is it a chancer trying to hack your system because they can.

Now it’s as likely to be an organised professional criminal with multi millions as the prize; and of course the more they gain the better and bigger their cyber and hacking abilities become.

Stats released for 2016/2017 around cyber threats were astonishing and in particular the growth in the last 3 months of the year.

More info

Talktalk data breach

The TalkTalk data breach, a record £400k fine and a warning to others

00Cyber Security, Data breachTags:

The TalkTalk Data Breach

On the 21st October 2015, TalkTalk became aware of a major security breach.  Over the following days and weeks, the severity and magnitude of that breach filled the headlines of the British and International newspapers. More than 150,000 users saw their personal information leaked. Of those, more than 15,000 users saw their bank account details compromised. 

“failed to apply software patches to a database, fixing a known exposure that had been identified more than 3.5 years prior to the breach.”

The next day, TalkTalk informed the Information Commissioners Office of the data breach. The TalkTalk data breach has cost about £60m and contributed to the loss of over 100,000 customers. The police are still questioning 6 individuals (all under 21 years of age) in relation to the crime.

The ICO Investigation to the TalkTalk data breach

Now TalkTalk is back in the headlines as the ICO issues a record-breaking fine of £400,000, due to security failings that allowed a cyber attacker to access customer data “with ease”. The ICO investigation found that the attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information. Worryingly, TalkTalk failed to apply software patches, fixing a known exposure that had been identified more than 3.5 years prior to the breach. The report highlights that there were two additional attacks 12 weeks before the October breach which had not been detected. More info

Yahoo Data breach

Lessons from the Yahoo data breach

00Cyber Security, Data breachTags:

Lessons from the Yahoo data breach

Once again the headlines are dominated by news of another major breach, unsurprisingly it’s Yahoo data breach which has been made apparent.

What happened at Yahoo?

It’s a massive data breach, making Talk Talk, LinkedIn and Ashley Madison look tiny – 500 million records have been breached in what is being reported as a ‘state-sponsored’ hack with rumours of involvement from China, Korea or Russia. The breach occurred at some point in 2014 and impacts not just users of Yahoo, but potentially Sky and BT users as well.

Yahoo Data breach raises so many questions 

It is clear that this story will continue to run for many weeks and months. It raises so many questions; how much Yahoo knew? When did Yahoo found out? Why didn’t Yahoo recognise that a breach had occurred? And why do Yahoo think it was a state sponsored attack, given the data has found it’s way to the dark web?

I’m sure the new owners of Yahoo, the well respected communications company Verizon, will have many more questions. More info

Cyber security whose responsible?

Who is responsible for Cyber Security?

02Cyber SecurityTags:

So just who is responsible for cyber security? Earlier this week we re-tweeted a great article from the Cyber Skills Centre about who is to blame for the current issues and challenges with cyber security in organisations.

Controversially the author, Stuart Wilkes, suggested that responsibility resides with the IT Director and not the software provider or the Criminal. Reading the article, his argument was logical and well structured. As Business Leaders, the IT Director have the responsibility for ensuring security is included in the design of systems, that they communicate with the Board / their Clients, on trends within the industry, that they are responsible for recommending changes in process and practice in the organisation and so on.

The article created much discussion at Risk Evolves HQ.

Should the IT Manager shoulder 100% of the cyber security blame?

Absolutely not! We’d like to suggest that we go one step further and suggest that as Employers and employees we have a major responsibility as well. Let me explain.

We were out and about the other week and stopped to use a ‘free Wi-Fi’ service at a coffee shop (we drink far too much coffee!). In order to gain access (mindful of the advice provided by GetSafeOnline), you had to share some details :

  • Email id
  • Name
  • House number
  • Postcode
  • Telephone number
  • Date of Birth
  • Gender

Wow – just for ‘free’ Wi-Fi ! According to the small print,  the data would only be used for ‘marketing purposes’ and you could of course un-subscribe at any time. But as consumers, would you really give this data away ?  Who has it ? Where is it being kept ? Think about what it could be used for in the wrong hands ?  Would you walk up to a stranger and give them a piece of paper with this information on ? Perfect for id fraud. All the information required to apply for credit cards or a bank account.  Needless to say, we didn’t share our information – but would you ?

Reducing the risk of cyber crime is MUCH MORE THAN JUST AN IT CHALLENGE.

More info

Cyber Security

How to improve your cyber security 

00Cyber Security

Cyber security is a serious problem. The Federation of Small Businesses (FSB) latest figures show 42 % of members have been a victim of cyber crime in the last 12 months!

Costing an average of £3,000 per business.

Cyber security breaches cost the UK economy £5.26bn per year. And the time taken for an small or medium sized business to recover from a breach is now estimated as being more than 2 days.

More info