Category: GDPR

Full Metal Jacket…

For many after the historic events in the UK, it may indeed feel necessary to don a metaphorical “full metal jacket” to survive what is an ongoing onslaught of the political landscape. Uncertainty grows and the decision to “Brexit” continues to have ramifications far beyond those that were considered by many, it seems.

Info Sec

Given these uncharted waters, we must look to our principles to steady ourselves. This is never more true than in the security community. Cyber threats continue to escalate, the capacity for intelligent risk analysis (end to end) remains never more relevant. The economic climate may be unstable but the economics of crime remain certain. So it behoves all professionals with responsibilities for both information and technology to arm themselves with a greater understanding of what is required to actually embed secure thinking across their organisations.

That being said, less of the cyber, more of the information view is required. This is not easy, given the legacy, at so many levels, that many are working with. Cyber is the domain in which the greatest threats to our corporate information is being realised. However, risks are coming from all domains – people, process, technology, physical – and now we can add politicians to this list! Professionals know this. Without having full knowledge of your information assets – without knowing what is important to your organisation and what could happen if that information fell into the wrong hands – you are actually running with a level of blindness that in and of itself creates risk(s) and ensures that you are not providing truthful reporting. But – and it’s a big BUT, “Security” is everyone’s responsibility – and everyone needs a LOT more understanding!

There is a US cyber security strategy, an EU one, country specific ones…. So what? It’s not stopping the rot. Corporate businesses are still supporting bad design practices as a result of not allowing the time required to design both safely and securely. Everyone is outsourced to a point of stretch that is unsustainable. In spite of Brexit, we remain full steam ahead on the preparations for the General Data Protection Regulation (GDPR), and with these come a requirement to be able to adopt a “full disclosure” approach to incidents and breaches.

We will also be preparing for adoption of the Network and Information Security (NIS) Directive, which is very much more a directive that operates at a government level but includes a requirement to establish “security and notification requirements for operators of essential services, as well as digital service providers” – with an explanation of who is covered by “essential services”.

Nonetheless, as per the “path to GDPR” picture, what is really required is good project management. In order to achieve the desired outcomes, which will include behaviour change (to deliver “privacy by design”), there is a lot of information required and a lot of understanding across the whole organisation. Security is everyone’s responsibility – and everyone needs a LOT more understanding! Procurement need to understand the implications of the deals being undertaken; so do Legal – and Legal need to not be looking to the Security community to educate them on matters of Information based legislation. Shame on them! Keep up with the law yourselves!

HR need to be much more engaged in helping to discipline badly behaving employees and support the need for showing good security behaviour as being an active element of annual appraisal processes.

IT need to be factoring in safety and security within all change management and future development – not coming to Security right at the end. None of this is rocket science; it’s not new news. Security is a collective. And much like all the rhetoric these past few months, stop believing the hype! The Security industry itself needs to look deep into its soul and reflect on the ethics of selling pipe dreams of layer upon layer of defence over the top of known insecure systems.

There are at least 85 different security tools from 45 different vendors. In an increasing “internet of things” environment, this approach is going to crumble and will embarrass us all. It’s a fallacy to think that we can cure cancer by putting a plaster on it – likewise the continued application of technology to a technology problem cannot be seen to make sense in the abstract!

In conclusion: ensure you know your information asset landscape; ensure you know the impact of the realisation of any threats to those information assets; and stop focussing on just all things “cyber”.

Act Now’s course on Information Risk & Security course runs in London and Manchester in October. See http://www.actnow.org.uk/courses/2015

About the Author

Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years’ direct information security, assurance and governance experience. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services.

DP and #GDPR after #Brexit

brexit-1477615_1920

For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.

Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?

The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.

Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.

In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.

Consent

Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.

Fair processing

Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.

Impact assessments

The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.

Data Processors

Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.

Deletion

The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.

Security

Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.

And that’s definitely not now!

BUT WHAT ABOUT….

Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.

And that’s definitely not now!

Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

To Brexit or not to Brexit…

canstockphoto35750834

 

 

 

 

 

 

 

 

 

That is the question on everyone’s lips right now. With the EU referendum looming, the next big question is, How will the GDPR affect us should we decide to leave the EU? The majority opinion is that we will be definitely affected in some way or other by the regulation and most likely will have to adopt all of it, maybe in a slower timeframe… But there’s no escaping it!

There’s three likely outcomes should we leave the EU…

  1. We remain in the European free trade association or Economic area (EEA) of the EU similar to Norway in which case we would then be subjected to GDPR, in order to trade with the EU
  1. We leave all trade agreements and become similar to the USA – a ‘safe third country’, in which case we would have to have a suitable level of DP Regulation which for all intents and purposes will be the GDPR
  1. We completely go solo like Geri Halliwell, Robbie Williams, Zayn Malik…okay i’ll stop. Even in this scenario, we would have to make our own singles, do our own world tours… sorry, i mean have our own equivalent GDPR, or update our existing one and where better to find one? (I can sense a Blue Peter moment coming on…)

So in short… and forgive me for my Hunger Games level of enthusiasm of being selected in the games, but GDPR is coming one way or the another…The Real Question is… Are You Ready?

Let the Games Begin!

 

Act Now can Help you prepare for the regulation. We have full day courses on the regulation as well as courses available online. Please visit our website here to find out more.

 

 

New IRMS Certificate in Information Governance

Page 1

 

Today, the Information and Records Management Society (IRMS) and Act Now Training launched the IRMS Foundation Certificate in Information Governance. This represents the first fully online certificated course covering data protection, freedom of information and records management.

In difficult economic times, traditional face-to-face learning is often the first activity to fall victim of budget cuts. However the area of Information Governance is currently the subject of rapid change. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has now been formally adopted by the European Parliament and will come into force on 25th May 2018.  The FOI Commission’s report, published in March, will lead to additional obligations for public authorities under the Freedom of Information Act. And the list goes on…

Employees and managers, both in the public and private sector, need timely and cost effective IG training.  The IRMS Foundation Certificate in Information Governance is the solution. This is an online certificated course designed for information management professionals who need to know about the basics of information rights and information management in their job role. It is an ideal starter qualification for those who wish to then progress to more advanced qualifications such as the as our Practitioner Certificate In Data Protection and the BCS FOI and DP Certificates.

Launched at the 2016 IRMS conference in Brighton, the IRMS Foundation Certificate in Information Governance is a fully online yet interactive course. There are four learning modules (Records Management, Security and Information Assurance, Data Protection and Freedom of Information). Using the latest web based technology, delegates will be able to learn from the comfort of their own desk by attending four live online webinars. In addition they will be able to tailor their learning through doing four recorded modules from a choice of six. Finally they will do a short online assessment to achieve the certificate endorsed by the excellent reputation of the IRMS.

Ibrahim Hasan, Director of Act Now Training, has developed the course with IRMS colleagues. He said:

“I am really pleased to have been involved with the development of this ground breaking new online qualification. I have used my experience in delivering Information Governance training for many years to help create a product which will hopefully meet a previously unmet demand amongst Information Management professionals.”

Meic Pierce Owen, the Chair of the IRMS said:

“I am genuinely proud to have overseen the development of this important qualification that offers all information professionals the opportunity to gain a solid grounding in contemporary Information Governance (IG). This qualification has relevance across all sectors and is equally valid for those looking to master the basics of contemporary IG as it is for those looking to progress to practitioner level study.

As a generalist practitioner who qualified from University just ahead of Data Protection, Freedom of Information and Information Security being covered in any detail on the courses, I am also delighted to put my money where my mouth is and be the first to sign up to study for this qualification- which I believe to be relevant to my CPD as well as being excellent value for money. I shall let you know how I get on…”

If you would like to know more about this exciting new course please visit us at the IRMS stand at the Brighton conference. See also our dedicated IRMS Certificate webpages or get in touch.

Be an Information Superhero and gain a Superhero Qualification!

 

 

25th May 2018: D-day For Data Protection (GDPR)

canstockphoto30465718

Following its formal adoption by the European Parliament in April, the General Data Protection Regulation (GDPR) was published on 4th May 2016 in the Official Journal. This means that it will be directly applicable throughout the EU (without the need for implementing legislation) from 25th May 2018.

Data Controllers now have two years to prepare for the biggest change to the EU data protection regime in 20 years.  With some breaches of the Regulation carrying fines of up to 4% of global annual turnover or 20 million Euros, everyone has to take Data Protection seriously.

 All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. Act Now has a series of blog posts as well as a dedicated GDPR section on its website with articles on the different aspects of the Regulation.

Training and awareness at all levels needs to start now. We are running a series of GDPR webinars and workshops. Five out of eight of the next GDPR workshops are fully booked. We have also started running workshops on specific aspects of the Regulation e.g. Information Risk and Security.

Our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits.

If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.

The next two years need to be spent wisely. Act Now can help you prepare for the Regulation in the most cost effective manner whilst also ensuring you and your organisation are fully prepared.

Let the Fun Begin! New EU Data General Protection Regulation #GDPR is Adopted

eu falg.jpg

After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has today been formally adopted by the European Parliament. The Regulation will soon be available in all the official EU languages.

The Regulation will take effect twenty days from its post-vote publication in the Official Journal (May 2018) giving Data Controllers two years to prepare for the biggest change to the EU data protection regime in 20 years.

The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights or the conditions for processing) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to keep records or complying with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover (for undertakings).

The Regulation replaces the previous EU Data Protection Directive (95/46/EC), upon which the UK’s Data Protection Act 1998 (DPA) is based, without the need for further national legislation. It does though allow for substantial national derogations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance, the Government and the Information Commissioner’s Office(ICO) will be working to finalise their positions on key issues such as exemptions, workplace privacy, healthcare services and biomedical research.

The ICO has set up a new GDPR microsite and published a 12 step guide to preparing for the Regulation. Read the Assistant Information Commissioner’s blog here about what more they are planning.

The Regulation is accompanied by the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection when applied to crime and justice, but which can be implemented by each Member State through its own laws with greater flexibility.

 All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. The good people at Covington & Burling LLP have published an automated comparison here to allow readers to see how the Regulation has changed from its previous version.

Training and awareness at all levels needs to start now. Here is a nice video to get you started.

Act Now has a dedicated GDPR section on its website containing articles as well as details of our GDPR webinars and workshops. If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.

GDPR: The Data Protection Principles (but not as you know them Jim!)

canstockphoto16138153

Having recently attended the Information Commissioner’s Office Data Protection Practitioners Conference in Manchester, I should start this blog post by echoing the words of our outgoing Commissioner, Christopher Graham, that the Regulation text is not the final version until later this year when it has been reviewed and fully translated for all 28 member states.

But as the Regulation is unlikely to change in material terms, let’s crack on!

Whenever you see blogs and articles about the new EU General Data Protection Regulation, they are often focusing on what’s new and “exciting”, be that in a good or bad context (see our summary here). But this blog post will look at some of the things that are remaining familiar, albeit in an edited ‘reshuffled’ form.

So let’s go back to basics – the Data Protection Principles. Now under the current Data Protection Act 1998 there are 8 principles that cover things from legitimate purpose to retention and security. Under the Regulation these are changing. Chapter 2, Article 5 (1) (a)-(f) now outlines the principles:

“Personal Data shall be;

1, processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

2, collected for specified, explicit and legitimate purposes and not further processed in a a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (‘purpose limitation’);

3, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

4, accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

5, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

6, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);”

Now while the Regulation text doesn’t specifically say “principle 1” etc. it does confirm these as the principles and it is logical to assign numbers (as opposed to A,B,C). Principle A just doesn’t have the same ring to it as, “the first principle”. I suspect that these will now become known by their subject matter, so for example you would have “the accuracy principle” and “the data minimisation principle.”

You will notice that we are also down to 6 principles from our current 8 under the DPA. The 2 “missing principles” have been amalgamated in to the new 6 principles. All the current requirements in the 8 principles are still here but they are now outlined in the finer detail of the text. So, for example, principle 6 in the DPA  (“processed in accordance with data subjects rights”) is not specifically called out as a principle in the Regulation but it is outlined in Ch2 Art 5 (1) (a) that information will be processed in a “fair and transparent manner”. The requirements of which, outlined in the rest of the Regulation, require Data Controllers (and indeed processors) to ensure that Data Subjects can exercise their rights as outlined in the text in Chapter 3.

The same applies to the current principle 8 of the DPA 1998 “not transferred to a country outside of the EEA without adequate protections” principle. Because the ‘protections’ are outlined in other principles (Chapter 4, section 2 (Security) for example) and the regulatory nature of the Regulation, it is expected that as part of your processing under the other principles you will share data internationally in the correct fashion.

As the saying goes, the devil is indeed in the detail with this Regulation. In this document I’ve put the relevant sections into the principles to which they relate. There is some overlap but generally if you’re talking about principle 1, then the references are all sections of the text that are relevant to some degree. This list is by no means exhaustive but it does give you a view as to how the principles are intertwined into the detailed text.

In the next few posts I’ll be exploring these principles more and some of the related requirements to see what this means in practice and what further location specific standards we should be on the watch for.

Scott Sammons is an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation and attend our full day workshop.

Data Breach Notification and the New EU Data Protection Regulation

 

DPA20The new EU General Data Protection Regulation contains an obligation on Data Controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the Data Subjects as well.

Article 4 of the Regulation defines a personal data breach:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Under the Data Protection Act 1998 (DPA) there is currently no legal obligation to report such breaches to anyone. However the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention. Last year telecoms company Talk Talk was the subject of a cyber attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response especially the time it took to inform the ICO and customers.

Article 31 of the Regulation states that as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72 hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.

Notification Contents

The notification must contain the following minimum information:

  • a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects data records concerned;
  • the name and contact details of the Data Controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.

Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.

The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 31. Some, if not all of it, will also be accessible via Freedom of Information requests, as many local authorities have already found.

Individuals’ Rights

Article 32 of the new Regulation states that Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (e.g. fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one to the supervisory authority (discussed above) and should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.

Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the need to mitigate an immediate risk of damage would call for a prompt notification whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.

There is no need to communicate a personal data breach to individuals if:

(a) the Data Controller has implemented appropriate technical and organisational protection 
measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or

(b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

(c) it would involve disproportionate effort. In such case, there will instead have to be a public communication (e.g. press release) or similar measure whereby the Data Subjects are informed in an equally effective manner.

Even where a Data Controller has chosen not to information Data Subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breaches require notification and to whom.

Compensation

Article 77 states that:

“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

This together with the new breach notification provisions (discussed above) will no doubt see an increase in Data Subjects taking legal action against Data Controllers as a result of data breaches. There may even be more class actions like the one against the London Borough of Islington in 2013 when 14 individuals settled for £43,000 in compensation after their personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000.

Currently the ICO can issue fines (Monetary Penalty Notice’s) of up to £500,000 for serious breaches of the DPA. When the Regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or 20 million Euros.

The Regulation will have a big impact on all sectors. Whilst it is unlikely to come into force until the middle of 2018, all Data Controllers should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.

Act Now Training can help. Please see our one-day EU DP Regulation workshops and our 1 hour webinars. We can also conduct DP audits and assessments.