Quarterly Business News
Welcome to the CSCM Business Newsletter
INCLUDED THIS MONTH:
- GDPR The Countdown
- 12 Steps To GDPR
- IT Jargon
- Work Together To PROTECT Your Data
Under 40 days to go by Jezz Gobran
At the time of writing this there is less than 40 days until the existing Data Protection Act is repealed, replaced by the new Data Protection Act, putting the GDPR into UK law.
What’s interesting (or convenient in terms of fines) is that in the last week or so we have seen the data breach of 150 million users of ‘My Fitness Pal’ the meltdown of Facebook and the very poor manner in which it has been handled.
Without dwelling on any of these issues the key component in both of these is data, personal data and no doubt it could be your personal data.
Despite these ongoing security breaches and the data protection laws changing, what I find very paradoxical is that when I’m talking with a company they look at personal data of their clients as if it is theirs, to do with it what they wish, defend their actions and try to fluff up their processing so that it sounds less intrusive than what they are actually doing really is.
On the flip side, when I relate it to them as a private citizen, in most cases they’re pretty unhappy with the way that some organisations process their personal data.
Now we all know we can’t have our cake and eat it, or at least not very often. So what becomes the tipping point; do we as individuals have to be the subject of a breach that has a significant affect before it becomes a problem irrespective which side of the fence they sit on or could it simply be that we do what we’re asked and be transparent in the way data is processed. After all when political parties don’t tell us the truth because they think we can’t handle the truth we up in arms (and there goes the paradox again).
What’s the answer?
The easy thing to say is do what we’re supposed to do, meet the expectation of the regulations and put sufficient processes in place to keep data safe and secure. The problem is we all complicate things, for example, Tesco just sell beans but actually they have a highly complex business which enables that to happen. No doubt this is the same as your business, you sell stuff but behind the scenes it’s a complex business that makes it happen profitably.
There will be plenty you can do but in the first instance, determine which side of the fence you want to be on, remove the paradox, the rest becomes so much easier and the complexity becomes a much simpler hurdle to overcome.
As always, if you need help with your data protection or information security please get in touch firstname.lastname@example.org
12 Steps to Prepare for GDPR
There is so much information in the media surrounding GDPR and companies we speak to are confused about where to start. The ICO have some great information that may help, as well as online self assessment kits. Visit their website to utilise the guidance they provide.
Below are 12 steps the ICO suggest you use as a checklist on the countdown to 25th May 2018:
Make sure decision makers and key people in your organisation are aware of the change in law and the impacts of this.
2/ Information you hold
Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3/ Communicating privacy information
Review your current privacy notes and put a plan in place for making any necessary changes in time for GDPR.
4/ Individuals’ rights
Check procedures to check they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
5/ Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6/ Lawful basis for processing personal data
Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh any existing consents now if they don’t meet GDPR standards
You should start thinking now whether you need to put systems in place to verify individuals’ ages and to obtain parental/guardian consent for any data processing activity to obtain parental or guardian consent for any data processing activity.
9/ Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10/ Data protection by design and data protection impact assessments
You should familiarise yourself now the ICO’s code of practise on Privacy Impact Assessments as well as the latest guidance from the article 29 working party and work out how and when to implement them into your organisation.
11/ Data Protection Officers
Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisations structure. Consider whether you formally need to designate a Data Protection Officer.
If your organisation operates in more than one EU member state you should determine your lead data protection supervisory authority.
Do you Talk IT?
Do you recognise the odd word but do not really understand what it actually means?
You are not alone, so here are a few 'techy terms' explained.
A method of scrambling data to make it unreadable to people who are not authorised or trusted to read it
An easy way to connect computers over a network by a cable
The amount of information an internet connection can handle at once
A protective measure that filters and stops malicious communications being sent to your computer
The internet of things
The ability to connect to everyday objects over the internet
IP Address (internet Protocol)
The unique address assigned to your computer online
ISP (Internet Service Provider)
The company providing you with your connection
A device to create a connection between computers
The attempt to obtain sensitive information such as usernames, passwords and personal data often for malicious reasons by disguising as a trustworthy entity more often than not via an email.
VPN (Virtual Private Network)
A service hiding your identity online by routing your traffic through a proxy server.
Work together to PROTECT your data
I feel I can confidently say that as it stands in 2018 most businesses utilise the internet in their day to day operations. With that said I feel I can also confidently say that any business large or small is a target for cybercrime.
Surprisingly to some a small business could be seen as an easy target for criminals as they may not have their own dedicated IT department, they may therefore not have the knowledge or resources to train staff on what they should be looking out for to keep data safe. But a data breach via a small company could also open the gates to large organisations, security expert Jezz Gobran has talked before about supplier chains.
For some companies though to the actual business owners themselves, Cybercrime is still an uncertain concept. Despite the impact of it being huge, they can lose money, business, reputation, data, the list goes on. This way of thinking really needs to change.
Be aware and make sure EVERYONE in your organisation keeps data safe.