Get A Quote

[contact-form-7 404 "Not Found"]

Category Archives: Data Privacy (EU-GDPR)

Click here to view all blog posts »

GDPR Part II - Basic Overview

Posted on July 16th, 2017 by

What does the GDPR cover?

The GDPR covers any information processed by your organisation in regard to a natural person or data subject. In plain English that’s any identifiable person that is still alive. The GDPR covers personally identifiable information (PII) and includes any set of information that can be used to identify a Data Subject including (but not limited to) names, addresses, email addresses and financial data.

Does it apply to my organisation?

Yes! It’s as simple as that – it applies to every organisation in the UK and Europe irrelevant of the outcome of Brexit talks.

What are the main principals of the GDPR?

The GDPR covers the collection, processing, storage and destruction of sensitive data. We’ll cover compliance in more detail in a future email but for now there are some very important principals:

  • Personal data must be processed lawfully, fairly and transparently.
  • Personal data can only be collected for specified purposes.
  • Personal data must be relevant and limited to what is necessary.
  • Personal data must be accurate and up to date.
  • Personal data must be kept in a form such that the data subject can be identified only as long as is necessary.
  • Personal data must be processed in a manner as to ensure its security.

In a nutshell – What does that really mean for my business?

It means you need to know your data in a way you have probably never considered before. You need to understand your entire data lifecycle and ensure you are compliant at each stage.

  • Collection – Have you gained consent to collect and process the data? Consent under the GDPR is very specific. If you require the data for four purposes you must gain consent explicitly for all four. Implied consent is not enough!
  • Processing – Is your use of data lawful and transparent? Is what you are doing with your data necessary and are data subjects aware of how you are utilising their information?
  • Storage – Where does your data reside – is it local or cloud based? Are appropriate controls in place to protect that data? Can you locate data about an individual if asked to provide it?
  • Transfer – If data is being transferred within and without your organisation, is it being done lawfully? Are you sure it is safe in transit and are you sure that the recipient of that data is also GDPR compliant?
  • Destruction – Are you retaining data only as long as is necessary? There is an in-built ‘right to be forgotten’ in the GDPR so destruction of data is as critical as its collection.

Where do I even start?

This can all seem a bit daunting and in truth, there is a lot of work to be done. However, it can be broken down in to manageable steps – the key is documentation! Businesses have until May 2018 to ensure compliance so there is absolutely no need to panic.

We’ve broken this down in to four concepts you need to consider:

People      –       Policies    –       Technology       –       Monitoring

The two most critical bits here are people and policies. There is no magic technological fix to the GDPR. Training, policies, procedures, and written contracts will always trump technical intervention. That’s not to say technical controls are superfluous. There are times when technology is absolutely the answer but technology should be implemented to address a specific risk that is not addressed by people and policies.

What can Geek-Guru do to help?

We are keen to stress that all of this can be done internally – it does not require external intervention to achieve compliance. That being said we also appreciate that many of our clients will not have the time or inclination to do this themselves. We have worked hard to ensure our team is up to the challenge of assisting our clients with GDPR. Just drop us a line to book a consultation!

Posted in: Data Privacy (EU-GDPR), It 4 business, IT Security

EU-GDPR is on the way

Posted on June 06th, 2017 by

As you may or may not be aware the data protection act is coming to an end. The data protection act was implemented two decades ago and the world of business IT has changed significantly in that time. The EU-GDPR (General Data Protection Regulation) is the replacement and in May 2018 this legislation will take effect in the UK (it will take effect irrelevant of Brexit outcomes)

This legislation is fairly significant. The data protection act left a great deal up to individual businesses as to how they went about protecting personal data. For most organisations data protection took a back seat over day-to-day business. The EU-GDPR is significantly more prescriptive and the fines for non-compliance are potentially very high (up to 4% of turnover or €20 million).

At Geek-Guru we have been preparing for the EU-GDPR for some time.

Whilst the EU-GDPR has now been formalised there is still some uncertainty about how the legislation will be formalised in UK law. The feeling is therefore that this will very much be an evolving subject with changes coming in as and when these laws are tested in court. The key term here is ‘tested in court’. This legislation gives a great deal of power to ‘data subjects’. These are the people for which you hold personal data. We do not want our clients to become test cases in what will be one of the most wide-reaching changes in IT legislation for decades.

So, what can you do?

There are several aspects to this. Some are technical – such as IT security provision. Some are policy and procedures – such as incident management. However, the majority of your obligations will come down to data itself. How data is identified, how data is stored, how data is processed and how data is protected. The key provision in the legislation is ‘data protection by design and by default’. For this to happen you will need to understand your data in a way that you’ve probably never had to think about before.

Over the coming weeks we will be putting together info for our clients on what you will need to do, who you will need to speak to, and what you will need to look at to ensure you are compliant. In the short term, we feel that it would be good if clients start thinking about where their data is stored, what applications are used to store personal data, and how are they accessed. If these are big named software houses like Sage and Microsoft then the changes should be possible with limited fuss and expense.  If these are custom applications, or older legacy applications, then now may be the time to start a dialogue with your software provider about what they have planned for EU-GDPR compliance. This absolutely should not be left until the last minute!

What can Geek-Guru help with?

Within a few months we will have the following certifications and specialisms on board:

CIPP – Certified Information Privacy Professional/Europe

https://iapp.org/certify/cippe/

CISSP – Certified Information Systems Security Professional

https://www.isc2.org/cissp/default.aspx

CND – certified network defender

https://www.eccouncil.org/programs/certified-network-defender-cnd/

ECES – Certified Encryption Specialist

https://www.eccouncil.org/programs/ec-council-certified-encryption-specialist-eces/

As I’m sure you can appreciate this is huge investment in regard to engineer training and recruitment. However, it is the only way we feel that we can provide the level of expertise that will be required of us going forward.

We will be putting together some consultancy packages to help clients with the transition. This will include help with policies and procedures and also with technical measures that will be required to achieve compliance. We’re also on hand for any questions or advice you may need.

Posted in: Data Privacy (EU-GDPR), It 4 business, IT Security