Information Risks – Page 2

Government to strengthen UK data protection law

Posted on 15th August 2017 By Crimson Crab

People to have more control over their personal data and be better protected in the digital age under new measures announced by Digital Minister Matt Hancock.

The Government has committed to updating and strengthening data protection laws through a new Data Protection Bill which will:

Make it simpler to withdraw consent for the use of personal data
Allow people to ask for their personal data held by companies to be erased
Enable parents and guardians to give consent for their child’s data to be used
Require ‘explicit’ consent to be necessary for processing sensitive personal data
Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
Make it easier for customers to move data between service providers

New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.

Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.

The intention of the Data Protection Bill is to implement the GDPR in full, put the UK in a strong position to secure unhindered data flows once it has left the EU, and give businesses the clarity they need about their new obligations.

The GDPR will apply fully from 25th May 2018. If you would like to know the steps to take to comply with the new rules please register for our series of email guides here.

BBC News: Customers 'furious' with TNT after cyber-attack meltdown

Posted on 10th August 2017 By Robert Briggs

I saw this on the BBC and thought you should see it:

Customers ‘furious’ with TNT after cyber-attack meltdown – http://www.bbc.co.uk/news/technology-40861982

Unsolicited Marketing Emails

Posted on 9th August 2017 By Crimson Crab

Recently we seem to have had a spate of marketing emails from people without any regard for the rules on privacy!

We all make mistakes but a lack of knowledge of the rules puts their business reputation at risk and exposes them to a substantial fine.

If you provide unsolicited marketing material, the Information Commissioner’s Office produces a handy Direct Marketing Checklist which includes a guide to the marketing rules. You can download it here.

Facebook calls for a more people-centric security industry

Posted on 27th July 2017 By Robert Briggs

a rusty and trust padlock on a beach, looking after a business reputation

BBC news: Facebook calls for a more people-centric security industry

Could new data laws end up bankrupting your company?

Posted on 11th July 2017 By Robert Briggs

BBC News: Could new data laws end up bankrupting your company? – http://www.bbc.co.uk/news/business-40441434

Cookie banner frustration

Posted on 10th July 2017 By Crimson Crab

The European Commission has proposed new regulations that would limit the way companies track users on the internet.

Part of that plan would see the removal of website banners that provide disclaimers on cookie policies and instead have the user’s browser preferences automatically apply to each site they visit. In addition companies will need to get explicit consent from a user before being allowed to track their online activities.

If passed, the new rules will come into effect by May 2018.

Website security risks

Posted on 7th July 2017 By Crimson Crab

The ICO has issued a £60,000 fine to Boomerang Video Ltd after it suffered a cyber attack. An investigation by the ICO found the Berkshire-based company failed to take basic steps to stop its website being attacked.

Do I need to appoint a Data Protection Officer to comply with the GDPR (General Data Protection Regulations)?

Posted on 3rd July 2017 By Crimson Crab

Not necessarily, but you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR and so you can appoint a data protection officer (DPO) if that helps you meet this criteria.

The GDPR says that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

Public authorities (except for courts acting in their judicial capacity) are required to appoint a data protection officer (DPO), as is any organisation carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); or carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.

The DPO’s minimum tasks are defined in Article 39:

To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

You must ensure that:

The DPO reports to the highest management level of your organisation – ie board level.
The DPO operates independently and is not dismissed or penalised for performing their task.
Adequate resources are provided to enable DPOs to meet their GDPR obligations.

The role of DPO can be allocated to an existing employee. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally.