UK businesses urged to prepare for GDPR a year to day

With exactly one year to the compliance deadline, the Information Commissioner’s Office has urged UK firms to seize the business benefits of being GDPR-ready

With exactly one year to the compliance deadline, the Information Commissioner’s Office has urged UK firms to seize the business benefits of being GDPR-ready

There is no time for businesses to delay in preparing for the General Data Protection Regulation (GDPR), says the UK information commissioner.

In a video address to UK business leaders, Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she termed “the biggest change to data protection law for a generation”.

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks.

“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.

“But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit,” she said.

Deputy commissioner Rob Luke also highlighted the business benefits of GDPR compliance at a discussion about the legislation hosted by IT industry body TechUK.

The best outcome, he said, would be where organisations take an approach to data protection that earns the trust of consumers in a more systematic way, and where that trust translates into competitive advantage for those who lead the charge.

Luke said that while the GDPR presents some opportunities for organisations, the ICO recognises that there are some challenges too, noting that the GDPR is an indicator of change as much as it is an instigator.

“The GDPR is part of the response to the challenge of upholding information rights in the digital age; of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change,” he said.

Luke said that GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.

“The moment at which GDPR takes effect in the UK on 25 May 2018 will, of course, mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities, and organisations need to be working now to prepare for them,” he said.

Luke said he hoped that UK organisations have already deployed the ICO’s 12 steps to take to prepare for GDPR and were familiar with the ICO’s Overview to GDPR, and were drawing on the ICO’s wider resources.

The ICO, he said, is working at pace to produce detailed guidance, both at a national and a European level, through the Article 29 EU Working Party.

While this guidance will continue to be developed, Luke said organisations should not wait for definitive guidance on every aspect of the GDPR before taking action.

“I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management. Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.

Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong,” he said.

Preparation for compliance with the GDPR can be boiled down to transparency and accountability, said Luke.

“It is about being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business,” he said.

As a result, said Luke, this means GDPR compliance is a board-level issue for every size of organisation, not only because under the GDPR the ICO can fine companies up to €20m or 4% of a company’s total annual worldwide turnover for the preceding year, whichever is greater, but also because of potential brand damage.

“As we’ve seen in well-publicised examples, the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation,” he said.

The ICO recognises that data is the fuel that powers the digital economy, said Luke, and the GDPR is a response to this evolving landscape. The GDPR builds on previous legislation, he said, but brings a 21st century approach and delivers stronger rights in response to the heightened risks.

These new rights include individuals’ rights to:

Be informed about the use of their data;
Access their information and move that information around;
Rectify and erase data where appropriate;
Revoke consent;
Challenge automated decisions.

“Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and ensuring privacy by design, are now legally required in certain circumstances,” said Luke.

Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready, said Luke.

Luke also noted that data breach reporting would also change under the GDPR. Organisations will be required to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics, mean that profiling is becoming a much wider issue, he said.

According to the ICO, the GDPR is a principles-based law well equipped to take on the challenges of 21st century technology.

“It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want,” said Luke.

In addition to gearing up the GDPR compliance within the ICO and the higher volume of activity that is bound to come as a result of mandatory breach notifications, Luke said the ICO is looking at how it might be able to engage more deeply with companies as they seek to implement privacy by design.

The ICO is also looking at how it can contribute to a “safe space” where companies can test their ideas and at how it can recognise good practice.

“We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play,” said Luke.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Almost a quarter of UK and US firms likely to miss GDPR deadline

Some 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline of 25 May 2018

Some 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline of 25 May 2018

Only 15.7% of more than 200 UK and US companies polled are in the advanced planning stages of complying with the EU General Data Protection Regulation (GDPR).

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

Some 17.8% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance, according to the survey by security firm Guidance Software.

But 24% of the organisations surveyed said they would not be ready by the 25 May 2018 deadline, and 30.6% said they had no timetable for being GDPR compliant, which could expose them to fines of up to €20m or 4% of their annual global turnover, whichever is greater.

Some 14.2% said they would divest EU operations instead of attempting to become compliant with the GDPR.

The survey revealed that bigger companies have made the most progress towards compliance. Some 43% of organisations with revenues of $1bn or more claimed to have processes in place already that can identify data records of any EU citizen and determine where that data is being processed, in comparison to just 26.8% of organisations with under $100m in sales.

The GDPR requires all organisations doing business in EU member countries to comply with new regulations governing the data privacy rights of EU citizens.

However, more than half of the companies surveyed have not yet begun to evaluate third-party products or developer processes to identify the data records of EU citizens.

When asked to prioritise the recruitment and training of a qualified data protection officer, 23.7% ranked it as a high priority, 18.1% said it was a medium priority, and 15.4% named it a low priority.

For all companies, the top three activities to becoming GDPR compliant are:

Use and maintain policies and procedures for the anonymisation and de-identification of personal data (24.9%).
Conduct a full audit of EU personal data manifestation (22.8%).
Evaluate all third party operational partners that access personal data transfers (21.4%).

“With nearly five billion data records exposed in the past four years alone, there is a clear trend towards stronger protection of consumer data, and GDPR is a major first step in that direction,” said Anthony Di Bello, senior director, products, at Guidance Software.

“This data suggests that many organisations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year to avoid major financial penalties,” he said.

To prepare for GDPR compliance, organisations are advised to:

Understand and acknowledge the requirements of GDPR for each specific business.
Conduct an internal audit to determine internal practices that need to change.
Create an incident response plan, including testing and updating procedures.
Identify gaps in technology.
Appoint a qualified data protection officer (DPO).
If there is not already a plan for GDPR compliance, start now.

Guidance Software also advises organisations to:

Monitor efforts at EU level and in member states to prepare for enforcement of the GDPR.
Establish familiarity with the supervising authority or authorities most relevant to operations.
Monitor technical guidance and codes of conduct from relevant EU authorities.
Establish where customer personal data is located, why it is used, and how long it is kept.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Nearly 30pc SME staff lack cyber threat training

Some 27% of small to medium sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack.

Some 27pc of small to medium sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack.

According to research by cyber insurance provider CFC this is despite the fact that nearly fourty per cent of CFC’s claims in 2016 were caused by phishing attacks that could have been avoided with better education and training.

According to CFC, the main reason given for this it that SMEs are “not sure where to start”, which could be a result of not understanding their cyber risk profile, with 20% of SMEs never assessing the business exposure to cyber risk.

In September 2016, a Juniper Research report revealed that 74% of UK SMEs think they are safe from cyber attack, despite half of them admitting having suffered a data breach.

There is still naivety about the significance of a data breach, according to the report, which showed that although 69% of respondents would contact someone immediately if they discovered a cyber breach, 18% would wait until the next working day if they did not consider it a big problem.

CFC reported a 78% rise in cyber claims from 2015 to 2016, with 90% of claims by volume coming from businesses with less than £50 million in revenue, highlighting just how vulnerable SMEs are to relatively unsophisticated cyber attacks.

When SMEs were asked what poses the biggest threat to their business, cyber crime came in second, topped only by Brexit.

Some 31% of IT companies report cyber crime as the main threat, followed by 25% in the manufacturing sector. By comparison, just 8% overall are concerned about traditional crime. Despite these worries, 80% of SMEs still do not buy cyber insurance.

At CFC’s recent Cyber Symposium, Inga Beale, CEO of Lloyd’s, said: “It’s one of the most high profile risks businesses are facing at the moment, and yet CEOs seem to be in denial about its impacts and their ability to deal with it.

“Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring.”

Graeme Newman, chief innovation officer at CFC, said it was worrying to see that 56% of SMEs do not have an incident response plan in place that outlines roles and responsibilities in the event of a cyber attack.

“SMEs must take a two-pronged approach to guarding against an attack – implementing good security and risk management practices along with a strong cyber insurance policy,” he said.

“For SMEs that are time-poor and cash-strapped, cyber insurance policies exist not only to pay for financial losses should their systems be compromised, but also to help them handle and resolve incidents quickly and effectively.”

However, Newman predicted that although only 9% of SMEs are worried about regulatory fines as a result of a cyber attack, that figure is likely to increase once companies are required to comply with the EU’s General Data Protection Regulation (GDPR) from 25 May 2018.

Whereas the UK’s privacy watchdog, the Information Commissioner’s Office, is currently able to issue penalties of up to £500,000, the GDPR will introduce fines of up to €20 million or 4% of an organisation’s annual global turnover, whichever is greater.

This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90 fold increase, from £1.4 billion in 2015 to £122 billion, the Payment Card Industry Security Standards Council (PCI SSC) has calculated, based on the maximum fine of 4% of global turnover.

For UK SMEs, this could see regulatory fines for data breaches rise to £52 billion, a 57 fold increase, averaging £13,000 per SME.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cost of Yahoo hack shows executive cyber security responsibilities

Yahoo’s recent hacks reinforces the responsibilities on board executives for cyber security as the data losses have  cost its top lawyer his job, CEO Marissa Mayer millions in bonuses, and $350 million off its sale price.

Cost of Yahoo hack shows executive cyber security responsibilitiesThe Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.

The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.

The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”

The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.

“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.

Yahoo did not disclose the 2014 breach until September 2016, when it began notifying holders of 500 million accounts that associated email addresses, birth dates, security question answers, and other personal information may have been stolen.

Don’t forget that this hack also effected BT and Sky email users- as they use the Yahoo email system as the backbone for their own white label systems.

Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.

However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.

According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.

After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350 million less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.

The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.

The impact of the breaches hows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.

While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

GDPR data protection fines

GDPR- the General Data Protection Regulations and fines are less than 17 months away warns Cyber139. Happy New Year!

GDPR- the General Data Protection Regulations are less than 17 months away warns Cyber139

A two tiered system of fines will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.

For other breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater.

Hoping that BREXIT might help you? Wrong- speaking in parliament in the week before Christmas, UK digital minister Matt Hancock again confirmed that the GDPR “will become directly applicable in UK law on 25 May 2018”.

Data controllers could face more severe regulatory fines than data processors for failing to keep personal data appropriately secure under the new General Data Protection Regulation

One of the many changes that the new Regulation will deliver when it comes into force on 25 May 2018 is a new statutory obligation on data security that data processors must observe above and beyond contractual duties agreed with data controller customers.

Under current EU data protection rules service providers that process personal data on behalf of other businesses cannot be held directly liable to individuals for a breach of data security. If data processors are at fault for data breaches then it is the data controller who contracted with them whose neck is on the block for any non compliance with data protection laws, although the data processor could be liable to the data controller under their contract.

The Regulation addresses this anomaly but makes a distinction between the maximum fine data protection authorities will be able to levy against data controllers compared to data processors for failings on data security.

The relevant provisions on data security are contained under Articles 5 and 32 of the Regulation.

Article 5 sets out basic rules on personal data processing which only apply to data controllers, considered to be fundamental to data protection. One of those rules requires data controllers to ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

According to the Article 83 provisions of the Regulation on administrative fines, where data controllers breach that Article 5 requirement they can be served with the highest possible fine that data protection authorities will be able to issue under the reformed framework.

In contrast if data processors breach their statutory data security obligations, set out under Article 32, which requires them to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” of their personal data processing, then the most they could be fined is up to €10m or 2% of global annual turnover.

Data controllers are also subject to the Article 32 obligations. It therefore appears open to national data protection authorities to fine data controllers for any data security failings under Article 5 or Article 32. Their choice in those circumstances would impact on the severity of the fines they could issue.

Whether security measures are appropriate in each instance will depend on “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”, according to the Regulation.

Beyond the imposition of administrative fines for data security breaches, the Regulation will also introduce an updated right for data subjects to claim compensation for damages they suffer from such incidents.

A data controller or data processor could be sued for compensation as well as being exposed to the administrative fines – being fined will not shield it from compensation claims, and vice versa.

The revised right will allow data subjects to pursue either data controllers or data processors for all of the compensation owed to them for the damage they have suffered from a data breach, although a processor will only be liable for damage caused by processing where it has not complied with any part of the Regulation that applies to them or if it has “acted outside or contrary to lawful instructions of the controller”.

Data controllers pursued for damages will be able to claim back all or some of the money they pay out from their data processor if the data processor was  in fact responsible, wholly or in part, for the breach.

Equally, data processors will have the same right to claim back money from data controllers, or indeed other data processors involved, whose fault caused or contributed to the damage, if the data subject pursues the data processor for the full compensation pay-out.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139