Data Protection | Not Just Computers

GDPR is coming!

Paul Benn — Wed, 18 Apr 2018 19:42:10 +0000

We can hide from it but truth is the new General Data Protection Regulations (GDPR) are coming into effect on 25th May 2018, these new regulations affect the personal data that every business processes, further more the definition of Personal Data has changed.

What is the definition of Personal Data?

The GDPR changes the definition of personal data, it is fair to say that information you would previously not have classified as Personal Data will be under the GDPR.

GDPR Article 4.1 - Definition of Personal Data ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Countdown to GDPR becoming active

Day(s)

Hour(s)

Minute(s)

Second(s)

No need to panic if you are not ready, there are no immediate fines,
but you should think about protecting your data and we are here to help.

What do you need to do?

This is different for every business but there is some common ground, the very first thing that you need to do is a DPIA (Data Protection Impact Assessment), in its simplist form this is a list of all the different types of personal data you process, why you process it, on what legal basis you process and how you protect and manage it, you may remember from a previous post we described the GDPR as a “risk based regulatory framework”, with that in mind you need to put policies and procedures into place to reduce your liability by reducing any potential damages to the rights and freedoms of any person.

Once you have your DPIA then you can question if you actually need the data and then minimise the personal data that you hold and protect it.

Security by design

GDPR states that security should be by design and with the current technologies available but without involving unrealistic costs, some of the security measures you can implement can be done very cost effectively, for example ‘Access Permissions’ only giving access to those that actually need access, another measure may be disk encryption, if enabling disk encryption then there are some specific guidelines from the NCSC (National Cyber Security Centre) which should be implemented, if you need assistance implementing protection then please get in contact.



Our Top Tip!

A Cyber Essentials Certificate is a great way for you to ensure and demonstrate that you have taken adequate security measures on your computers to keep them safe from Cyber Threats.

What this GDPR then?

Paul Benn — Mon, 05 Feb 2018 20:40:13 +0000

GDPR is the General Data Protection Regulations (GDPR) that come into effect on 25th May 2018, it is the biggest change to Data Protection in 20 years and is long overdue, the amount of personal data we process and the way we process it has changed vastly and all businesses need to demonstrate that they care and respect the data they are privileged to maintain, the GDPR is best described as a “risk based regulatory framework”, you need to asses your risks to the data and then put monitoring, detection and response controls in place, these come in many forms.

For most businesses the change is actually not that big, it would be fair to say that most respectful businesses already treat the Personal data they maintain with respect and care but have not documented how they maintain the data and how to put things right, the GDPR puts a requirement on businesses to have a clear and concise Data Protection Policy in place and then demonstrate how the policy is applied.

What is Personal Data

The GDPR changes the definition of personal data, it is fair to say that information you would previously not have classified as Personal Data will be under the GDPR.

GDPR Article 4.1 - Definition of Personal Data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Can I still process Personal Data?

Of course you can, but you must have a Lawful Reason to process the data, there are 6 lawful reasons for processing data, there is no hierarchy to the reasons.

GDPR Article 6 Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Everyone is talking about big fines!

There is no hiding from the fact that the GDPR does include provision for some hefty fines, as we have said the GDPR is a “risk based regularity framework” the implementation of the GDPR in your business is all about mitigating those fines with you monitoring, detection and response controls, however it is worth noting that Elizabeth Denham of the Information Commissioners Office (ICO) has consistently said she “would rather use the Carrot than the Stick” and fines will be a last result saved for persistent offenders and serious cases. the ICO have

What do I need to do?

The very fist thing you need to do is asses what Personal data you hold, how has access to it and where it is going, then you need to risk asses the data and implement monitoring, detection and response controls, these will vary depending on the data and how much control you have over those controls, this is know as a Data Protection Impact Assessment.

Need Help!

No doubt all the information above is very helpful but you may feel overwhelmed by the task, not to worry we can help you, we have several packages and can create a bespoke package for you.

Data Protection | Not Just Computers

GDPR is coming!

What is the definition of Personal Data?

Countdown to GDPR becoming active

What do you need to do?

Security by design

Our Top Tip!

Further Reading

GDPR is coming!

What this GDPR then?

Some Help with Passwords!

Small Business Cyber Security Risk

The Annoying OPT-IN Message

What this GDPR then?

What is Personal Data

Can I still process Personal Data?

Everyone is talking about big fines!

What do I need to do?

Need Help!

Further Reading

GDPR is coming!

What this GDPR then?

Some Help with Passwords!

Small Business Cyber Security Risk

The Annoying OPT-IN Message