27k1 ISMS Programme ranked as finalist in recent Tech UK Cyber Innovation Den competition
27k1 ISMS Programme ranked as finalist in recent Tech UK Cyber Innovation Den competition
Some organisations don't decide to get a data security system - there are 5 possible reasons why this may be so
Some people enjoy time off - and the ability to earn some spare hours may be sufficient to enthuse people about data security enough to earn them.
Some people may choose to improve their working environment and this can be a method to enthuse people about data security too.
Some people react well to being offered additional or specialised training - possibly with additional side benefits - whatever it may take to enthuse them to absorb data security awareness.
Where money is a key driver, but a change in salary is not possible, maybe a bonus system can be used instead to enthuse people into learning more about data security.
Some people are driven more by their moral compass than whether they are paid more money or have time off. These are key people in your organisation as they will help steer the straight and narrow path.
Some individuals react to the idea that they will have less work to do if they set things up well in the first place - it certainly is true for data security.
Some people may be influenced by money and be encouraged to learn more if this is reflected in the reward structure.
Introduction to string of blogs on how to encourage individuals to take data security seriously and apply it with enthusiasm
The best way to make people appreciate being audited is catching them doing something right and commend them for it. So simple!
The Business benefits of getting good data security controls - as a contrast to the benefits accruing to the individuals involved.
How do you appeal to individuals to encourage them to adopt and develop the data security system requirements with enthusiasm.
Do you have to tell your clients if you have a data breach? Legal need and moral obligations may be different.
You may have seen the term "Dark Web" on a film and wondered if it really does exist - and if it does, why the authorities don't do something about it? You might be interested to hear that not only that it does exist, but that the authorities know all about the Dark Web, it […]
Historically there have been times that hackers have used Malware simply because they can. This is now no longer the usual reason. Malware tools can be used individually or together to break into different parts of an individual’s or organisation’s systems in order to hijack that system and hold it to ransom – hence “Ransomware”. […]
Malware comprises a number of nasties: Adware - software displaying adverts and/or banners when user is online – while sometimes acceptable, the malware version relates to the ones you cannot get to go away Bots – an autonomous programme on the internet that can get into programmes and does things that might be different to […]
I recently watched a webinar on the Managed Threat Response proposed by Sophos (a programme for real time protection against malicious malware and other digital threats). The thrust of what they were saying is that the threat landscape in the digital world is ever changing and we all need to ensure our responses to these […]
I am delighted to have just completed a webinar on Data Security for members of the CQI (Chartered Quality Institute) Birmingham branch. My webinar covered: the GDPR and PECR legislation key points how such data security measures impact on a range of different organisational types: Brokers, Manufacturers, Service Providers etc and finished with a review […]
The problem with Data Security is that it is usually not the reason the organisation was set up. Along with other such peripheral requirements, it can end up being left on a “do-as-little-as-possible” basis. This cannot last. 1.Legal Driver This area covers, among others, the GDPR and PECR legislation. With the recent legislation, let alone […]
Further to my warning that this was the perfect occasion for Hackers to benefit, now the Foreign Secretary has confirmed it too: Foreign Secretary's Cyber Criminals statement on coronavirus (COVID-19): 5 May 2020 Foreign Secretary Dominic Raab gave the 5 May 2020 daily press briefing on the government's response to the COVID-19 pandemic. “…., I […]
The legislation makes it clear that the GDPR is not to just be a paper exercise - the whole methodology of every organisation (effectively) needs to be redesigned to ensure that the technology and organisation itself have the data protection requirements fully integrated so that this becomes the way that all organisations do business going […]
Where you have concluded that the legal basis for processing the data of an individual is “vital interests” then you need to be very clear why this is so. To demonstrate this, you will need to have recorded why, in each instance, the “Vital Interest” approach is the appropriate one. In some instances, this can […]
The DPIA must cover the following: a description of the nature, scope, context and purposes of the processing as applicable, the legitimate interests pursued by your business an assessment of the necessity and proportionality of the processing in relation to the purpose an objective assessment of the risks to individuals, which considers both the likelihood […]
The Data Protection Impact Assessment (DPIA) is a great tool to assist your management of data security impacts in your organisation. It allows you to identify – and then solve – issues early on, so as to avoid costs and reputation damage that might otherwise occur. The focus is to make your operations as effective […]
Any organisation wanting to process a child’s personal data will need to ensure that the data will be processed correctly. Remember that “consent” as a lawful basis is only valid where given by the child if they are 13 years old or over. This means that you cannot assume that they are old enough without […]
It is vital that no data is released, altered or deleted at the request of the wrong person or that consent is asked of the correct person. To do so would be a data breach under the legislation – even you had thought the request came from the right person. To be clear, only the […]
There are 6 legally recognised grounds for processing personal data. Your organisation will need to determine which is appropriate for each data flow. One or more grounds may apply. No one ground is more viable than another in law – it will simply depend on the purpose behind the use of the data. Agreement by […]
To determine what information your organisation holds, you need to run an audit of the flows of data through your organisation. The Information Audit will identify: the paths through which data passes: how the data is collected and why where the data is sent within the organisation what is done with it other than storage […]
This relates to the potential for a decision being made as part of the automated structures utilised by your organisation that adversely affects the individual whose data is being used to make that decision. eg Profiling. You will need to have the appropriate procedures to ensure that this does not happen. This will require certain […]
Profiling – a typical automated decision-making process Profiling is a subset of the possible automated decision-making processes – but a sufficiently important one that the GDPR legislations specifically covers this area. The legislation defines Profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or […]
You need to ensure you have the requisite procedures set up to manage the information risks in a structured way. To manage the risks involved you have to have a clear understanding of what is involved. This covers you and any data processors you use. You will need to identify a senior person in your […]
You will already have contracts (verbal or written) with any data processors you use. These need to be enhanced by the responsibilities inferred by GDPR legislation. To this end a written contract is necessary to make clear responsibilities and liabilities. It is your responsibility to comply with GDPR and to show that you are – […]
The base line here is that there is no standard charge for a bona fide SAR (Subject Access Request) and except for 2 specific circumstances, charging is not permitted. Note that the SAR can be charged for if it is “manifestly unfounded or excessive, particularly if it is repetitive”: The definition of “manifestly unfounded” relates […]
This applies to: A Supplier Access Request (SAR) Request for update or correction of data Request for processing restriction Request for deletion of data Request for moving/copying/transferring data Objections for processing of personal data The GDPR requires that each of the above scenarios be responded to within a month – and the ICO recommends that […]
There are three distinct sections to assessing Legitimate Interest: Firstly – What is the purpose of processing the data? Why is the data required, what is it for and to do what? Who is it processed for? How? What additional public benefits may arise due to the processing? If there are such benefits, are they […]
This lawful basis is likely to be very popular with many organisations – it allows data to be collected without consent and used without acknowledgment BUT still requires that the organisation be very clear, in advance, as to why it feels it is entitled to do this. Furthermore, just because the data has been collected […]
You want data about individuals for a range of reasons. Whatever those reasons are, it will be no good to your organisation if it is incorrect or out of date. Since the individual does not want to be treated on the basis of incorrect or out of date information, you and the individual are wanting […]
You need to ensure that your organisation has an Information Security Policy in place together with the appropriate training, systems, controls and procedures to ensure that it is enacted, checked and works. You need to assess all personal data held and determine the risk that it poses a risk in the event of a data […]
To best demonstrate that you and your organisation comply with the principles embodied in the GDPR legislation, an appropriate Data Protection Policy is key. Such a policy ensures that you have a consistent and accountable approach to all data security matters. It can be included as part of existing policies or be an additional separate […]
The GDPR legislation requires your organisation to recognise individual’s rights to have a copy of their data (ie data about them). Such a request for information is called a Subject Access Request (SAR) in the GDPR Legislation and this term may be one you have seen elsewhere. Specifically, every individual may require you to provide: […]
Wherever your personal data was collected, you would want to know what was being done with it and why. For this reason, among others, your organisation should do the same for all those individuals whose data it has collected. It should state what has been collected, why and who you may be sharing it with. […]
In order that the individual may move, copy of transfer their data (also known as data portability) from your organisation to another (or from another organisation to yours), they have the right to request that this be undertaken by the organisation holding the data. You are required to have procedures to enable this to be […]
If an individual feels that their data has been incorrectly or inappropriately (ie illegally) processed, you are required to respond to their request with a course of action and to handle the case on its merits. You must ensure that the individual knows, at the point when they first interact with you, that they are […]
How your organisation asks for, and records, an individual’s consent to acquire, store, handle and use their data is key. The whole point of the GDPR legislation is to ensure that the individual's personal data is protected - but there are allowable ways to use it - so long as this is done correctly. Consent […]
There may come a time when your organisation no longer wants an individual’s data at the end of whatever process the data was taken for. But the individual has the right to require that you remove that data at an earlier time. For this to take place the following have to apply: The data is […]
It is vital that those people about whom you collect data, should be able to understand that you are doing so and what you are doing with it. The way you collect, process and share such information should be described in a way that the individuals affected can understand – especially the case with children […]
You need to be able to show how you will spot, cope with and solve any problems caused by data breaches from your organisation or of your data. In some instances, you will need to report when you have a data breach to the ICO and this will sometimes include information as to who has […]
If data is transferred across international boundaries, you have to ensure that it is correctly and appropriately protected – from damage, hacking, loss or misdirection and more. The GDPR being an EU Regulation, this was designed to apply outside the European Economic Area – but it is good practice to consider this issue as soon […]
As with all projects undertaken by any organisation, the key personnel and decision makers must “walk the walk” to demonstrate support for the beneficial culture of data protection compliance. Thus these are the prime focus of awareness raising and briefing when installing the changes due to GDPR. Within the organisation, to encourage the absorption and […]
When handling data flows, not all data types are equal. Special Category Data is the term used to cover those types of data which are more sensitive to the specific individual to whom they refer. It covers: Racial/ethical origin Political opinion Religious or Philosophical beliefs Trade Union Membership Genetic data Biometric data used for identification […]
The DPO will be someone in your organisation, or a 3rd party specialist contracted to your organisation who will take the responsibility for your data protection compliance. (This does not pass this responsibility out of your care so much as ensure that there is an expert on the field able to handle the data security […]
“Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.” Data Protection Fee Micro SME Enterprise Turnover Band Up to £632,000 Up to £36m Over £36m Employees Band Up to 10 Up to 250 Over 250 Fee Cost £40 £60 £2,900 Data […]
“My what?” Your riskiest data asset. The asset in your organisation that has the most risk from a data security point of view. “Oh! Er… well my computers I suppose…” Probably not. Try again! “Um. Well.. my servers and laptops…” Still probably not. Let me help. What about data sticks? Do you think they are […]
The user of the 27k1 ISMS starts by entering details specific to the organisation: Name and address and details of organisation Breakdown of zones/areas of activity within the organisation Breakdown of employees within the organisation Data assets held by the organisation: People, Hardware, Software, Communications, Storage, etc The next step is to run through the […]
Imagine the occasion – you are about to sign a contract that will leapfrog your organisation forward well past your targets for the year and you are sitting there with self-congratulations buzzing through your head when suddenly your soon-(hopefully)-to-be-client asks: “for goodness’ sake don’t let this IP get out – it has taken us years […]
The GDPR and PECR are the controlling legislation for data security. They are both pieces of EU Legislation. So, they do not require any further member state legislation to be introduced before becoming law throughout the EU and UK. The key UK data security legislation is the Data Protection Act 2018 (DPA 18). When the […]
This can be described verbally as follows: Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head) Run through each Data Asset (or group of them) against the Controls and Procedures set by the standard to determine […]
Most people forget that their personal mobile phone is a huge data security liability. Data on emails, apps and connections needs as much security on your mobile as for the rest of the organisation. Every app on your phone – from the official to the casual – provides an access point for hackers, the potential […]
Imagine you were a hacker. Hackers are very happy right now. They know: That everyone is now using home equipment, and systems potentially disconnected from secure communications. That IT staff will be over-run with other problems than checking that hacks are being performed. That they can probably get a hack to slip between the defences […]
Your legal obligations in the data security field are potentially vast – wide ranging and powerful – yet it seems that many are barely aware that there is law in the first place! Thou shalt not….(insert almost anything) is the result – and is consequently confusing.The resultant potential fines, prison sentences, prohibitions (and consequent loss […]
ISMS stands for Information Security Management System. That means it is a structured approach for controlling your organisation’s data security to ensure: It does not get into the wrong peoples’ hands It is not corrupted It is used by the people that should have access and not by those that don’t Rules are set as […]
This is a series of recommendations as to how to address concerns about data security – what to do to control the related risks and how to determine improvements while providing appropriate flexible criteria checklists against which to assess the right actions. The processes are carried out within an Information Security Management System (ISMS) which […]
“Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.” Data Protection Fee Micro SME Enterprise Turnover Band Up to £632,000 Up to £36m Over £36m Employees Band Up to 10 Up to 250 Over 250 Fee Cost £40 £60 £2,900 from […]
Reputation Loss is the worst result from a data breach. Reputation Loss will: Bankrupt your business faster than any fine. Lose your customers faster than you are able to react. Drag your business down faster than any criminal sentences. Act faster than any slap on the wrist from the Information Commissioner’s Office. Be slow to […]
A paper book, and a computer disk, had equivalent data. They were laid to rest one night when, later, A thief decided to take a look At the computer and, at the book. He found it harder the book to see, So, when he found the computer, he said with glee, “At last, success, I […]
Data Security is a heading for ensuring your data fulfils the following criteria: Availability - Accessible by those authorised to use it Usability - Format pertinent to necessary usage Currency - Sufficient date clarity for optimising usage Complete - All relevant data available in both time frame and scope Confidentiality - Secure, controlled and safe […]