| Home | About | Insights | 0
  • Your Shopping cart is empty.

data-privacy

deslyon blog post travel tips

It’s that time of year when people are packing those flip flops and shorts to enjoy their summer holidays or simply take time out of the office.

 

If you’re going abroad – depending on where you go – there are data protection laws that you have to comply with when collecting or processing (i.e. accessing) personal data that is used in a commercial capacity (i.e. customer, employee or business partner emails for example). You don’t know who is monitoring the internet access in the location that you are in. If you’re taking paper documents with you then how do you know who has access to your hotel room? What controls are in place to prevent access to personal information that is on a portable device that you’ve left in your hotel room whilst you were out on the beach?

 

If you’re checking emails and need to respond to one that cannot wait until you return or is labelled “urgent”, and you’re using free wifi access, then this poses a significant risk as these networks can be particularly vulnerable.

 

Even if you’re not checking emails and you use your device for work and personal use, and you happen to be browsing websites when a pop-up appears on your screen (and you don’t recognise the language but feel compelled to click the green button or tick the box) this could lead to malware being installed that could lay dormant for days or weeks and then when you’re back home could activate the malware so that it now affects your home network or even the company network and possibly grant unrestricted access to the hacker.

 

Techniques such as “Phishing” are becoming increasingly common and even more sophisticated, so if you’re asked by customs or a government official to hand over your device for examination, it is likely that they will require access to the device and its contents before they approve your entry to their country.

 

So, what can you do to prevent a situation from occurring that might lead to a compromise of personal data whilst you’re on the beach supping that 6th/7th/8th(maybe you’ve lost count) Pina Colada?  Here’s a few tips to help you get started:

 

  1. The obvious advice is don’t take work devices with you if you don’t need to.
  2. If you do have to take the device, make sure that any information relating to work or personal data of employees, customers, business partners is removed from the device (you can uninstall work applications and email accounts and re-install when you return).
  3. Do not open files or attachments from people you don’t know and do not click on links in emails from unknown senders.
  4. If you have to have personal information and records that include personal information on your device whilst on holiday, make sure you complete a full backup and leave it somewhere safe (in the office perhaps?) before your leave, in case the data is lost during your vacation.
  5. Depending on the level of sophistication of your IT infrastructure, you may want to run your device in a virtual environment whilst you’re on holiday, as that will ensure that any issues or viruses are contained within the virtual environment.
  6. A password management policy should already be in place within your organisation but if it isn’t then it is worth changing your passwords for when you’re on holiday, and changing them back when you return (or even better – change to new unused password).
  7. If you don’t need to have your Bluetooth or wi-fi on, then turn it off!

 

Martin de Bruin, CEO suggests that you do not leave your device unattended at any time:

“Whilst the lure of another cocktail as you’re sat by the pool or sea running on ice-cubes and are in urgent need of a refill might seem appealing, keep your device with you! Also, if you lose your device or if it’s stolen you will need to report it immediately to your employer and company Data Protection Officer, stating exactly which customers’ information was accessible on the device and/or employees or business partners personal data as well. It may require a notification to the Information Commissioner’s Office or even to the users whose data has been affected.”

For further information or advice on how to creating and implementing appropriate policies around information security and data protection or device management for your organisation, contact info@deslyon.com today.

 Like

GDPR Privacy by Design & Default

Should Privacy by Design be mandatory?

Privacy by design and default (PBDD) may prove to be far more useful in the world of privacy and data protection than it is considered now. Under article 25 of the GDPR a controller is required to implement PBDD by appropriate technical and organisational measures – but is that enough?

Controllers are expected to consider data protection issues as part of the design and implementation of systems, IT, services, products and business practices. To integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. To anticipate risks and privacy-invasive events before they occur.

Until there is a specific rule or tightening of regulation, organisations choose whether to actively take risk measures via PIA’s (Privacy Impact Assessments) and / or use privacy-enhancing technologies (PETs) organisations may not be protecting personal data sufficiently. Which means a lack of action could result in personal data being put at risk.

A 10 million euro (or 2% of global revenue) fine may be made if it is found that personal data was not protected; when a significant new service, policy or implementation affecting personal data was introduced, giving no real excuse for not introducing PBDD. Deslyon believes PBDD should be mandatory when it is clear personal data is at risk through an organisation making changes, potentially causing the organisation to be GDPR non-compliant and potentially in breach of the regulation.

It is understood that the UK ICO & EDPB (European Data Protection Board) is considering certificating PBDD (identifying certification criteria under articles 42 & 43 and EDPB approved certification mechanism draft guidelines). Until certification is in place that improves this situation for Privacy by design and default, Deslyon recommends all organisations processing personal data implement PBDD when making significant changes which includes personal data.

Organisations should ensure that personal data is automatically protected, specifically when major changes are made such as (say) replacing a HR system or developing new systems which include personal data. Where an organisation has a DPO (Data Protection Officer) it is likely they will ensure PBDD is carried out, where no DPO is employed, the security officer, GDPR specialist or similar representative will always benefit from practicing privacy by design and default.

Article by Phil Lyon, COO of Deslyon.
Phil Lyon, MBA, CISMP, ISO27001 Lead Auditor, GDPR Practitioner.
Contact info@deslyon.com to discuss how we can help your business.

 1
penalty

Definition of a Data Breach: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.” (source: ico.org.uk).

$2.1 trillion – the economic cost of data breaches globally

A study by Juniper research back in 2015 estimated that the economic cost of a data breach is set to quadruple to $2.1 trillion globally by 2019 (https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion).

Depending on the nature of the breach, and what data has been compromised, calculating the cost of a data breach in real terms can be quite a complex equation to create (and more often than not, estimations can fall considerably short of the final total). In fact, as reported by Tech Radar last year, since the announcement of the personal data breach by Equifax in September 2017 (announced 2 months after the actual breach occurred), in its SEC filing for Q118 results, the company had incurred a total of $242m of expenses related to the incident and incident and incremental IT and Data Security Costs, of which $68.7m was just in Q1 18*.

The costs of a data breach

  • Conducting an investigation into the cause of the breach (a task that may require resource outside of the organisation)
  • ascertaining the likely number of data subjects affected
  • Organising the response team and executing the incident response plan
  • PR and External communication strategy (customers, shareholders, suppliers/vendors, security)
  • Legal expenses as well as remediation measures (updating contracts, installing new security software, replacing physical security equipment, reimbursing customers and compensation)

There are also the after-effects to consider when counting the cost of a data breach. This may include, the effect on the share price and share performance in subsequent months (Equifax share price reached levels of approximately $140 between July and 6th September) has never recovered to those levels, in fact dropping to as low as $89 in just under a week post-announcement of the breach. Of course, customers will probably terminate their accounts and move to competitor offerings, and any new business will more than likely be qualified out very quickly.

In some cases, the cost of a single data breach or lawsuit may be large enough to shut down an organization and destroy a career, as numerous news article have reported (one example being https://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/)

How can you prevent a Data Breach?

There are a number of measures which you can implement that will help to minimise the risk of being subject to a data breach. This includes (but not limited to) the following:

  • Encryption of data (both at Rest and in-motion)
  • Training of staff so that they’re aware of their obligations when it comes to Data Protection.
  • Updating policies (such as remote working, bring your own device, staff internet usage, USB/external device policy)
  • Penetration testing of systems
  • Information System Security Assessments
  • 3rdparty suppliers/vendor due diligence (and the ability to audit your partners)

Contact info@deslyon.com to discuss how we can help your business.

(*source:https://www.sec.gov/Archives/edgar/data/33185/000003318518000017/exhibit99120180331.htm)

 1
globe-header

There is no doubt that the enforcement of the European General Data Protection Regulation on May 25th 2018 caused a seismic quake in the commercial world, as well as across government departments and not-for-profit organisations far and wide. But it doesn’t just apply to EU businesses. As stated on the Europa.eu website, “the law applies to:

  1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.*

So, if you’re (for example) a business with an office based in (say) Ireland, and you collect or process personal data for (let’s say) US citizens, then as your business has a premises in the EU (Ireland) then your business must protect the personal data of non-EU citizens in the same way as if they were EU citizens.

If you are a company who is solely based in the (let’s say – US) and you serve customers/users/audiences who are citizens of any EU country, then you must have appropriate safeguards and measures in place to protect the personal data of those customers/users/audiences.

Personal data is defined (in the official GDPR text as) “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

If you process personal data and one of the above scenarios apply to you, the regulation also states that you must appoint a Data Protection Officer if:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular or systematic monitoring of data subjects on a large scale, or
  3. the core activities of the controller or processor consist of processing on a large scale of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the purpose of identifying a natural person, data concerning health or a natural person’s sex life/orientation). Incidentally, you are prohibited from processing such special categories of data unless you have received explicit consent from the data subject, or you can justify processing via another legal basis.

Processing, as defined under Article 4 of the GDPR, means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

The Regulation does not apply to companies who are based outside of the EU and only serves a non-eu customer/user/audience base. So, if you do not target your services to EU based individuals then the GDPR does not apply to you. However, there might be other Data Protection Laws that your business will be subject to.

(*source:https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en)

 1